Taiye Lambo - Auditing the cloud
75
Kuwait Info Security Conference Auditing the Cloud Auditing the Cloud
-
Upload
nooralmousa -
Category
Documents
-
view
1.138 -
download
6
Transcript of Taiye Lambo - Auditing the cloud
Kuwait Info Security ConferenceAuditing the CloudAuditing the Cloud
About Me
T i L b CISSP CISA CISM HISP ISO 27001 A ditTaiye Lambo CISSP, CISA, CISM, HISP, ISO 27001 AuditorPresident & Founder, eFortresses, Inc.
Author Holistic Information Security Practitioner (HISP) Certification Coursey ( )
Founder Holistic Information Security Practitioner (HISP) Institute –www.hispi.orgFounder UK Honeynet Project – www honeynet org ukFounder UK Honeynet Project www.honeynet.org.uk
Hybrid technical and business information security practitioner, with 14 years Information Security experience, including:
Delivered critical BS 7799, ISO 17799, ISO 27002 & ISO 27001 consulting engagements to various clients in the Manufacturing, Government, Financial Services and Healthcare sectors in the UK and US.
2
Presented at security events including conferences organized by organized by ISSA, InfraGard, ISACA, CPM, HITRUST and SOFE.
Caveats and DisclaimersCaveats and Disclaimers
• This presentation provides education onThis presentation provides education on cloud technology and its benefits to set up a discussion of cloud securitydiscussion of cloud security
• It is NOT intended to provide official eFortresses and/or NIST guidance and NISTeFortresses and/or NIST guidance and NIST does not make policyA ti f d d t i NOT• Any mention of a vendor or product is NOT an endorsement or recommendation
3
Citation Note: Most sources for the material in this presentation are included within the PowerPoint “ slides
Cloud Computing Quotes from Vivek Kundra (Federal CIO):Kundra (Federal CIO):
"The cloud will do for government what the Internet did in the '90s " he said "We'reInternet did in the 90s, he said. We re interested in consumer technology for the enterprise " Kundra added "It's a fundamentalenterprise, Kundra added. It s a fundamental change to the way our government operates by moving to the cloud Rather than owning themoving to the cloud. Rather than owning the infrastructure, we can save millions."http://www.nextgov.com/nextgov/ng 20081126 1117.php
4
p g g g_ _ p p
Part I: Effective and Secure UsePart I: Effective and Secure UseUnderstanding Cloud ComputingClo d Comp ting Case St diesCloud Computing Case Studies
P t II Cl d A diti B t P ti
AGENDAPart II: Cloud Auditing Best Practices
ENISAAGENDACSAMicrosoftCloudeAssurance
5
Part I: Effective and Secure Use
6
Understanding Cloud Computing Origin of the term “Cloud Computing”Origin of the term Cloud Computing
• “Comes from the early days of the Internet where we drew y ythe network as a cloud… we didn’t care where the messages went… the cloud hid it from us” – Kevin Marks, GoogleGoogle
• First cloud around networking (TCP/IP abstraction)• Second cloud around documents (WWW data abstraction)• Second cloud around documents (WWW data abstraction)• The emerging cloud abstracts infrastructure complexities
of servers, applications, data, and heterogeneousof servers, applications, data, and heterogeneous platforms
– (“muck” as Amazon’s CEO Jeff Bezos calls it)Jeff Bezos’ quote: http://news cnet com/8301-13953 3-9977100-80 html?tag=mncol
7
Jeff Bezos quote: http://news.cnet.com/8301 13953_3 9977100 80.html?tag mncolKevin Marks quote: http://news.cnet.com/8301-13953_3-9938949-80.html?tag=mncol video
interview
A Working Definition of Cloud ComputingComputing
Cl d ti i d l f bli• Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computingshared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimalprovisioned and released with minimal management effort or service provider interaction.
• This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models
8
and four deployment models.
Five Essential Cloud CharacteristicsCharacteristics
9
Three Cloud Service ModelsThree Cloud Service Models
Cloud Software as a Service (SaaS)• Cloud Software as a Service (SaaS)– Use provider’s applications over a network
• Cloud Platform as a Service (PaaS)( )– Deploy customer-created applications to a cloud
• Cloud Infrastructure as a Service (IaaS)R t i t t k it d th– Rent processing, storage, network capacity, and other fundamental computing resources
• To be considered “cloud” they must be deployed on top of cloud infrastructure that has the key characteristics
10
Service Model ArchitecturesService Model ArchitecturesCloud InfrastructureCloud Infrastructure Cloud Infrastructure
IaaS
PaaS
SaaS
Software as a Service (SaaS)
ArchitecturesSaaS
PaaS
SaaS
Platform as a Service (PaaS)Cloud Infrastructure
IaaSCloud Infrastructure
( )ArchitecturesPaaSPaaS
Infrastructure as a Service (IaaS) Architectures
Cloud InfrastructureIaaS
11
NIST Four Cloud Deployment ModelsModels
• Private cloudPrivate cloud – enterprise owned or leased
Community cloud• Community cloud– shared infrastructure for specific community
• Public cloud– Sold to the public, mega-scale infrastructure
• Hybrid cloud– composition of two or more clouds
12
The NIST Cloud Definition Framework
C itC it
Hybrid CloudsDeployment
CommunityCommunityCloudCloud
Private Private CloudCloud
Public CloudPublic CloudModels
Service Software as a Platform as a Infrastructure as a Models
Essential
Service (SaaS) Service (PaaS) Service (IaaS)
B d N k A R id El i i
On Demand Self-ServiceEssentialCharacteristics
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
Common Characteristics Virtualization Service Orientation
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
13
CharacteristicsLow Cost Software Advanced Security
Jericho Forum’s Cloud Cube Deployment ModelDeployment Model
14
General Security AdvantagesGeneral Security Advantages
• Shifting public data to a external cloudShifting public data to a external cloud reduces the exposure of the internal sensitive datasensitive data
• Cloud homogeneity makes security auditing/testing simplerauditing/testing simpler
• Clouds enable automated security tmanagement
• Redundancy / Disaster Recovery
15
Cloud Computing Case Studiesand Security Modelsand Security Models
16
Google Cloud User:City of Washington D CCity of Washington D.C.
• Vivek Kundra, Former CTO for the DC (now Federal CIO)• Migrating 38,000 employees to Google Apps• Replace office software
– Gmail– Google Docs (word processing and spreadsheets)– Google video for business– Google sites (intranet sites and wikis)
• “It's a fundamental change to the way our governmentIt s a fundamental change to the way our government operates by moving to the cloud. Rather than owning the infrastructure, we can save millions.”, Mr. Kundra
• 500 000+ organizations use Google Apps
17
• 500,000+ organizations use Google Apps
Case Study: Facebook’s Use of Open Source and Commodity Hardware (8/08)Source and Commodity Hardware (8/08)
• Jonathan Heiliger Facebook's vice president of technical operations• Jonathan Heiliger, Facebook s vice president of technical operations • 80 million users + 250,000 new users per day• 50,000 transactions per second, 10,000+ servers• Built on open source softwareBuilt on open source software
– Web and App tier: Apache, PHP, AJAX– Middleware tier: Memcached (Open source caching)– Data tier: MySQL (Open source DB)y ( p )
• Thousands of DB instances store data in distributed fashion (avoids collisions of many users accessing the same DB)
• “We don't need fancy graphics chips and PCI cards," he said. “We need one USB port and optimized power and airflow Give me oneneed one USB port and optimized power and airflow. Give me one CPU, a little memory and one power supply. If it fails, I don't care. We are solving the redundancy problem in software.”
18
Data taken from CNET news article and interview 8/18/08http://news.cnet.com/8301-13953_3-10027064-80.html?tag=mncol
Amazon Cloud Users: New York Times and Nasdaq (4/08)New York Times and Nasdaq (4/08)
• Both companies used Amazon’s cloud offering• New York Times• New York Times
– Didn’t coordinate with Amazon, used a credit card!– Used EC2 and S3 to convert 15 million scanned news articles to PDF (4TB data)– Took 100 Linux computers 24 hours (would have taken months on NYT– Took 100 Linux computers 24 hours (would have taken months on NYT
computers– “It was cheap experimentation, and the learning curve isn't steep.” – Derrick
Gottfrid, New York Times
• Nasdaq– Uses S3 to deliver historic stock and fund information– Millions of files showing price changes of entities over 10 minute segments– “The expenses of keeping all that data online [in Nasdaq servers] was too high.”
– Claude Courbois, Nasdaq VP– Created lightweight Adobe AIR application to let users view dataSource: Infoworld article (availability zones and elastic IP)
19
Source: Infoworld article (availability zones and elastic IP), http://www.infoworld.com/article/08/03/27/Amazon-adds-resilience-to-cloud-computing_1.html
Case Study: Salesforce com in GovernmentSalesforce.com in Government
• 5,000+ Public Sector and Nonprofit Customers use Salesforce Cloud Computing SolutionsSalesforce Cloud Computing Solutions
• President Obama’s Citizen’s Briefing Book Based on Salesforce.com Ideas application
Concept to Live in Three Weeks– Concept to Live in Three Weeks– 134,077 Registered Users– 1.4 M Votes – 52,015 Ideas
Peak traffic of 149 hits per second– Peak traffic of 149 hits per second
• US Census Bureau Uses Salesforce.com Cloud Application
– Project implemented in under 12 weeks j p– 2,500+ partnership agents use Salesforce.com for 2010 decennial census – Allows projects to scale from 200 to 2,000 users overnight to meet peak periods with no
capital expenditureSource: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop-
20
p g pmicrosoft-for-web-apps.ars
Quote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php
Case Study: Salesforce com in GovernmentSalesforce.com in Government
• New Jersey Transit Wins InfoWorld 100 Award for its Cloud Computing Projectfor its Cloud Computing Project– Use Salesforce.com to run their call center, incident management, complaint
tracking, and service portal– 600% More Inquiries Handled600% More Inquiries Handled– 0 New Agents Required– 36% Improved Response Time
• U S Army uses Salesforce CRM for Cloud-based• U.S. Army uses Salesforce CRM for Cloud-based Recruiting– U.S. Army needed a new tool to track potential recruits who visited its Army
Experience CenterExperience Center.– Use Salesforce.com to track all core recruitment functions and allows the
Army to save time and resources. Source: http://arstechnica.com/software/news/2008/10/washington-dc-latest-to-drop-
21
microsoft-for-web-apps.arsQuote is from http://www.nextgov.com/nextgov/ng_20081126_1117.php
Part II: Cloud Audit Best PracticesPractices
22
ENISA
23
ENISAINFORMATION ASSURANCE REQUIREMENTSPERSONNEL SECURITYThe majority of questions relating to personnel will be similar to those you would ask your own
IT personnel or other personnel who are dealing with your IT. As with most assessments, there is a balance between the risks and the cost.
� What policies and procedures do you have in place when hiring your IT administrators or th ith t ? Th h ld i l dothers with system access? These should include:o pre-employment checks (identity, nationality or status, employment history and
references, criminal convictions, and vetting (for senior personnel in high privilege roles)).
� A th diff t li i d di h th d t i t d li ti ?� Are there different policies depending on where the data is stored or applications are run?o For example, hiring policies in one region may be different from those in another.o Practices need to be consistent across regions.o It may be that sensitive data is stored in one particular region with appropriate personnel.
� What security education program do you run for all staff?� Is there a process of continuous evaluation?
o How often does this occur?o Further interviews
24
o Further interviewso Security access and privilege reviewso Policy and procedure reviews.
ENISA
SUPPLY-CHAIN ASSURANCEThe following questions apply where the cloud provider subcontracts some operations that are
key to the security of the operation to third parties (e.g., a SaaS provider outsourcing the underling platform to a third party provider, a cloud provider outsourcing the security services to a managed security services provider, use of an external provider for identity management of operating systems etc) It also includes third parties with physical or remote access to theof operating systems, etc). It also includes third parties with physical or remote access to the cloud provider infrastructure. It is assumed that this entire questionnaire may be applied recursively to third (or nth) party cloud service providers.
� Define those services that are outsourced or subcontracted in your service delivery supply� Define those services that are outsourced or subcontracted in your service delivery supply chain which are key to the security (including availability) of your operations.
� Detail the procedures used to assure third parties accessing your infrastructure (physical and/or logical).
o Do you audit your outsourcers and subcontractors and how often?o Do you audit your outsourcers and subcontractors and how often?
� Are any SLA provisions guaranteed by outsourcers lower than the SLAs you offer to your customers? If not, do you have supplier redundancy in place?
Wh t t k t thi d t i l l t d i t i d?
25
� What measures are taken to ensure third party service levels are met and maintained?� Can the cloud provider confirm that security policy and controls are applied (contractually) to
their third party providers?
ENISAOPERATIONAL SECURITYIt is expected that any commercial agreement with external providers will include service levels for
all network services. However, in addition to the defined agreements, the end customer should still ensure that the provider employs appropriate controls to mitigate unauthorized disclosure.
� Detail your change control procedure and policy. This should also include the process used to re-assess risks as a result of changes and clarify whether the outputs are available to end c stomerscustomers.
� Define the remote access policy.� Does the provider maintain documented operating procedures for information systems?� Is there a staged environment to reduce risk, e.g., development, test and operational
environments, and are they separated?� Define the host and network controls employed to protect the systems hosting the applications
and information for the end customer. These should include details of certification against external standards (e.g., ISO 27001/2).
S f� Specify the controls used to protect against malicious code.� Are secure configurations deployed to only allow the execution of authorized mobile code and
authorized functionality (e.g., only execute specific commands)?� Detail policies and procedures for backup. This should include procedures for the management
f bl di d h d f l d i di l i d (D di
26
of removable media and methods for securely destroying media no longer required. (Depending on his business requirements, the customer may wish to put in place an independent backup strategy. This is particularly relevant where time-critical access to back-up is required.)
ENISAOPERATIONAL SECURITYAudit logs are used in the event of an incident requiring investigation; they can also be used for
troubleshooting. For these purposes, the end customer will need assurance that such information is available:
� Can the provider detail what information is recorded within audit logs?o For what period is this data retained?o Is it possible to segment data within audit logs so they can be made available to the end
customer and/or law enforcement without compromising other customers and still be admissible in court?
o What controls are employed to protect logs from unauthorized access or tampering?o What method is used to check and protect the integrity of audit logs?
� How are audit logs reviewed? What recorded events result in action being taken?� What time source is used to synchronize systems and provide accurate audit log time
stamping?
27
ENISA
SOFTWARE ASSURANCESOFTWARE ASSURANCE� Define controls used to protect the integrity of the operating system and applications software
used. Include any standards that are followed, e.g., OWASP (46), SANS Checklist (47), SAFECode (48).
� How do you validate that new releases are fit-for-purpose or do not have risks (backdoors, Trojans, etc)? Are these reviewed before use?
� What practices are followed to keep the applications safe?� Is a software release penetration tested to ensure it does not contain vulnerabilities? If
vulnerabilities are discovered, what is the process for remedying these?
PATCH MANAGEMENT� Provide details of the patch management procedure followed.� Can you ensure that the patch management process covers all layers of the cloud delivery
technologies – i.e., network (infrastructure components, routers and switches, etc), server
28
g , ( p , , ),operating systems, virtualization software, applications and security subsystems (firewalls, antivirus gateways, intrusion detection systems, etc)?
ENISA
NETWORK ARCHITECTURE CONTROLS� Define the controls used to mitigate DDoS (distributed denial–of-service) attacks.
o Defense in depth (deep packet analysis, traffic throttling, packet black-holing, etc)o Do you have defenses against ‘internal’ (originating from the cloud providers networks) y g ( g g p )
attacks as well as external (originating from the Internet or customer networks) attacks?
� What levels of isolation are used?o for virtual machines physical machines network storage (e g storage area networks)o for virtual machines, physical machines, network, storage (e.g., storage area networks),
management networks and management support systems, etc.
� Does the architecture support continued operation from the cloud when the company is separated from the service provider and vice versa (e g is there a critical dependency onseparated from the service provider and vice versa (e.g., is there a critical dependency on the customer LDAP system)?
� Is the virtual network infrastructure used by cloud providers (in PVLANs and VLAN tagging 802 1q (49) architecture) secured to vendor and/or best practice specific standards (e g are
29
802.1q (49) architecture) secured to vendor and/or best practice specific standards (e.g., are MAC spoofing, ARP poisoning attacks, etc, prevented via a specific security configuration)?
ENISA
HOST ARCHITECTURE� Does the provider ensure virtual images are hardened by default?
� Is the hardened virtual image protected from unauthorized access?g p
� Can the provider confirm that the virtualized image does not contain the authentication credentials?
� Is the host firewall run with only the minimum ports necessary to support the services within the virtual instance?
� Can a host based intrusion prevention service (IPS) be run in the virtual instance?� Can a host-based intrusion prevention service (IPS) be run in the virtual instance?
30
ENISAPAAS – APPLICATION SECURITYG ll ki P S i id ibl f th it f th l tfGenerally speaking, PaaS service providers are responsible for the security of the platform
software stack, and the recommendations throughout this document are a good foundation for ensuring a PaaS provider has considered security principles when designing and managing their PaaS platform. It is often difficult to obtain detailed information from PaaS providers on exactly how they secure their platforms – however the following questionsproviders on exactly how they secure their platforms however the following questions, along with other sections within this document, should be of assistance in assessing their offerings.
� Request information on how multi-tenanted applications are isolated from each other – a high� Request information on how multi tenanted applications are isolated from each other a high level description of containment and isolation measures is required.
� What assurance can the PaaS provider give that access to your data is restricted to your enterprise users and to the applications you own?enterprise users and to the applications you own?
� The platform architecture should be classic ‘sandbox’ – does the provider ensure that the PaaS platform sandbox is monitored for new bugs and vulnerabilities?
� PaaS providers should be able to offer a set of security features (re useable amongst their
31
� PaaS providers should be able to offer a set of security features (re-useable amongst their clients) – do these include user authentication, single sign on, authorization (privilege management), and SSL/TLS (made available via an API)?
ENISASAAS – APPLICATION SECURITYThe SaaS model dictates that the provider manages the entire suite of applications delivered to p g pp
end-users. Therefore SaaS providers are mainly responsible for securing these applications. Customers are normally responsible for operational security processes (user and access management). However the following questions, along with other sections within this document, should assist in assessing their offerings:
Wh d i i i l id d d h b d i d d i� What administration controls are provided and can these be used to assign read and write privileges to other users?
� Is the SaaS access control fine grained and can it be customized to your organizations policy?
RESOURCE PROVISIONINGRESOURCE PROVISIONING� In the event of resource overload (processing, memory, storage, network)?
o What information is given about the relative priority assigned to my request in the event of a failure in provisioning?
o Is there a lead time on service levels and changes in requirements?� How much can you scale up? Does the provider offer guarantees on maximum available
resources within a minimum period?� How fast can you scale up? Does the provider offer guarantees on the availability of
32
y p p g ysupplementary resources within a minimum period?
� What processes are in place for handling large-scale trends in resource usage (e.g., seasonal effects)?
ENISAIDENTITY AND ACCESS MANAGEMENTThe following controls apply to the cloud provider’s identity and access management systems g pp y p y g y
(those under their control):
AUTHORIZATION� Do any accounts have system-wide privileges for the entire cloud system and if so for what� Do any accounts have system wide privileges for the entire cloud system and, if so, for what
operations (read/write/delete)?
� How are the accounts with the highest level of privilege authenticated and managed?� How are the most critical decisions (e g simultaneous de provisioning of large resource� How are the most critical decisions (e.g., simultaneous de-provisioning of large resource
blocks) authorized (single or dual, and by which roles within the organization)?� Are any high-privilege roles allocated to the same person? Does this allocation break the
segregation of duties or least privilege rules?
� Do you use role-based access control (RBAC)? Is the principle of least privilege followed?� What changes, if any, are made to administrator privileges and roles to allow for extraordinary
access in the event of an emergency?� Is there an ‘administrator’ role for the c stomer? For e ample does the c stomer
33
� Is there an ‘administrator’ role for the customer? For example, does the customer administrator have a role in adding new users (but without allowing him to change the underlying storage!)?
ENISAIDENTITY PROVISIONING
Wh t h k d th id tit f t t i t ti ? A t d d� What checks are made on the identity of user accounts at registration? Are any standards followed? For example, the e-Government Interoperability Framework?
� Are there different levels of identity checks based on the resources required?� What processes are in place for de-provisioning credentials?� Are credentials provisioned and de-provisioned simultaneously throughout the cloud system,
or are there any risks in de-provisioning them across multiple geographically distributed locations?
MANAGEMENT OF PERSONAL DATA� What data storage and protection controls apply to the user directory (e.g., AD, LDAP) and
access to it?
� Is user directory data exportable in an interoperable format?� Is need-to-know the basis for access to customer data within the cloud provider?
34
ENISAKEY MANAGEMENTFor keys under the control of the cloud provider:� Are security controls in place for reading and writing those keys? For example, strong
password policies, keys stored in a separate system, hardware security modules (HSM) for root certificate keys, smart card based authentication, direct shielded access to storage, short key lifetime, etc.
� A it t l i l f i th k t i d t d t ?� Are security controls in place for using those keys to sign and encrypt data?� Are procedures in place in the event of a key compromise? For example, key revocation lists.� Is key revocation able to deal with simultaneity issues for multiple sites?� Are customer system images protected or encrypted?ENCRYPTION� Encryption can be used in multiple places − where is it used?
o data in transito data at resto data at resto data in processor or memory?
� Usernames and passwords?� Is there a well-defined policy for what should be encrypted and what should not be
encrypted?
35
encrypted?� Who holds the access keys?� How are the keys protected?
ENISA
AUTHENTICATIONAUTHENTICATION� What forms of authentication are used for operations requiring high assurance? This may
include login to management interfaces, key creation, access to multiple-user accounts, firewall configuration, remote access, etc.
� Is two factor authentication used to manage critical components within the infrastructure such� Is two-factor authentication used to manage critical components within the infrastructure, such as firewalls, etc?
CREDENTIAL COMPROMISE OR THEFTD id l d t ti (th bilit t t l d t ti ll li i IP� Do you provide anomaly detection (the ability to spot unusual and potentially malicious IP traffic and user or support team behavior)? For example, analysis of failed and successful logins, unusual time of day, and multiple logins, etc.
� What provisions exist in the event of the theft of a customer’s credentials (detection, revocation evidence for actions)?revocation, evidence for actions)?
IDENTITY AND ACCESS MANAGEMENT SYSTEMS OFFERED TO THE CLOUD CUSTOMERThe following questions apply to the identity and access management systems which are offered
b th l d id f d t l b th l d t
36
by the cloud provider for use and control by the cloud customer:
ENISA
IDENTITY MANAGEMENT FRAMEWORKS� Does the system allow for a federated IDM infrastructure which is interoperable both for high
assurance (OTP systems, where required) and low assurance (e.g.. username and password)?
� Is the cloud provider interoperable with third party identity providers?� Is there the ability to incorporate single sign-on?ACCESS CONTROL� Does the client credential system allow for the separation of roles and responsibilities and for y p p
multiple domains (or a single key for multiple domains, roles and responsibilities)?� How do you manage access to customer system images – and ensure that the authentication
and cryptographic keys are not contained within in them?
AUTHENTICATION� How does the cloud provider identify itself to the customer (i.e., is there mutual
authentication)?o when the customer sends API commands?
37
o when the customer sends API commands?o when the customer logs into the management interface?
� Do you support a federated mechanism for authentication?
ENISA
ASSET MANAGEMENTIt is important to ensure the provider maintains a current list of hardware and software
(applications) assets under the cloud providers control. This enables checks that all systems have appropriate controls employed, and that systems cannot be used as a backdoor into pp p p y ythe infrastructure.
� Does the provider have an automated means to inventory all assets, which facilitates their appropriate management?pp p g
� Is there a list of assets that the customer has used over a specific period of time?
The following questions are to be used where the end customer is deploying data that would require additional protection (i.e.. deemed as sensitive).require additional protection (i.e.. deemed as sensitive).
� Are assets classified in terms of sensitivity and criticality?o If so, does the provider employ appropriate segregation between systems with different
classifications and for a single customer who has systems with different security classifications?
38
classifications?
ENISA
DATA AND SERVICES PORTABILITYDATA AND SERVICES PORTABILITYThis set of questions should be considered in order to understand the risks related to vendor
lock-in.
A th d t d d d API f ti d t f th l d?� Are there documented procedures and APIs for exporting data from the cloud?
� Does the vendor provide interoperable export formats for all data stored within the cloud?
� In the case of SaaS, are the API interfaces used standardized?
� Are there any provisions for exporting user-created applications in a standard format?
� Are there processes for testing that data can be exported to another cloud provider – should the client wish to change provider, for example?
� Can the client perform their own data extraction to verify that the format is universal and is
39
� Can the client perform their own data extraction to verify that the format is universal and is capable of being migrated to another cloud provider?
ENISA
BUSINESS CONTINUITY MANAGEMENTProviding continuity is important to an organization. Although it is possible to set service level
agreements detailing the minimum amount of time systems are available, there remain a number of additional considerations.
� Does the provider maintain a documented method that details the impact of a disruption?o What are the RPO (recovery point objective) and RTO (recovery time objective) for
services? Detail according to the criticality of the service.services? Detail according to the criticality of the service.o Are information security activities appropriately addressed in the restoration process?o What are the lines of communication to end customers in the event of a disruption?o Are the roles and responsibilities of teams clearly identified when dealing with a
disruption?disruption?� Has the provider categorized the priority for recovery, and what would be our relative priority
(the end customer) to be restored? Note: this may be a category (HIGH/MED/LOW).� What dependencies relevant to the restoration process exist? Include suppliers and outsource
partners
40
partners.� In the event of the primary site being made unavailable, what is the minimum separation for
the location of the secondary site?
ENISAINCIDENT MANAGEMENT AND RESPONSEI id t t d i t f b i ti it t Th l fIncident management and response is a part of business continuity management. The goal of
this process is to contain the impact of unexpected and potentially disrupting events to an acceptable level for an organization.
To evaluate the capacity of an organization to minimize the probability of occurrence or reduce the negative impact of an information security incident the following questions should bethe negative impact of an information security incident, the following questions should be asked to a cloud provider:
� Does the provider have a formal process in place for detecting, identifying, analyzing and responding to incidents?
� Is this process rehearsed to check that incident handling processes are effective? Does the� Is this process rehearsed to check that incident handling processes are effective? Does the provider also ensure, during the rehearsal, that everyone within the cloud provider’s support organization is aware of the processes and of their roles during incident handling (both during the incident and post analysis)?
� How are the detection capabilities structured?� How are the detection capabilities structured?o How can the cloud customer report anomalies and security events to the provider?o What facilities does the provider allow for customer-selected third party RTSM services to intervene in their systems (where appropriate) or to
co-ordinate incident response capabilities with the cloud provider?o Is there a real time security monitoring (RTSM) service in place? Is the service outsourced? What kind of parameters and services are
monitored?o Do you provide (upon request) a periodical report on security incidents (e.g.,. according to the ITIL definition)?
41
o Do you provide (upon request) a periodical report on security incidents (e.g.,. according to the ITIL definition)?o For how long are the security logs retained? Are those logs securely stored? Who has access to the logs?o Is it possible for the customer to build a HIPS/HIDS in the virtual machine image? Is it possible to integrate the information collected by the
intrusion detection and prevention systems of the customer into the RTSM service of the cloud provider or that of a third party?
ENISA
INCIDENT MANAGEMENT AND RESPONSEINCIDENT MANAGEMENT AND RESPONSE� How are severity levels defined?� How are escalation procedures defined? When (if ever) is the cloud customer involved?� How are incidents documented and evidence collected?� Besides a thentication acco nting and a dit hat other controls are in place to pre ent (or� Besides authentication, accounting and audit, what other controls are in place to prevent (or
minimize the impact of) malicious activities by insiders?� Does the provider offer the customer (upon request) a forensic image of the virtual machine?� Does the provider collect incident metrics and indicators (i.e.,. number of detected or reported
incidents per months number of incidents caused by the cloud provider’s subcontractors andincidents per months, number of incidents caused by the cloud provider’s subcontractors and the total number of such incidents, average time to respond and to resolve, etc)?).
o Which of these does the provider make publicly available (NB not all incident reporting data can be made public since it may compromise customer confidentiality and reveal security critical information)??)security critical information)??)
� How often does the provider test disaster recovery and business continuity plans?� Does the provider collect data on the levels of satisfaction with SLAs?� Does the provider carry out help desk tests? For example:
I i (i h h d f h h i d
42
o Impersonation tests (is the person at the end of the phone requesting a password reset, really who they say they are?) or so called ‘social engineering’ attacks.
ENISA
INCIDENT MANAGEMENT AND RESPONSE� Does the provider carry out penetration testing? How often? What are actually tested during
the penetration test – for example, do they test the security isolation of each image to ensure it is not possible to ‘break out’ of one image into another and also gain access to the host p g ginfrastructure?. The tests should also check to see if it is possible to gain access, via the virtual image, to the cloud providers management and support systems (e.g., example the provisioning and admin access control systems).
� Does the provider carry out vulnerability testing? How often?
� What is the process for rectifying vulnerabilities (hot fixes, re-configuration, uplift to later versions of software, etc)?)
43
ENISA
PHYSICAL SECURITYAs with personnel security, many of the potential issues arise because the IT infrastructure is
under the control of a third party – like traditional outsourcing, the effect of a physical security breach can have an impact on multiple customers (organizations).p p ( g )
� What assurance can you provide to the customer regarding the physical security of the location? Please provide examples, and any standards that are adhered to, e.g.,. Section 9 of ISO 27001/2.
o Who, other than authorized IT personnel, has unescorted (physical) access to IT infrastructure?
� For example, cleaners, managers, ‘physical security’ staff, contractors, consultants,� For example, cleaners, managers, physical security staff, contractors, consultants, vendors, etc.
o How often are access rights reviewed?� How quickly can access rights be revoked?
44
� How quickly can access rights be revoked?o Do you assess security risks and evaluate perimeters on a regular basis?
� How frequently?
ENISA
PHYSICAL SECURITYo Do you assess security risks and evaluate perimeters on a regular basis?
� How frequently?
o Do you carry out regular risk assessments which include things such as neighboring buildings?
D t l it l (i l di thi d ti ) h ?o Do you control or monitor personnel (including third parties) who access secure areas?o What policies or procedures do you have for loading, unloading and installing equipment?o Are deliveries inspected for risks before installation?o Is there an up-to-date physical inventory of items in the data centre?
o Do network cables run through public access areas?� Do you use armored cabling or conduits?
o Do you regularly survey premises to look for unauthorized equipment?
45
o Do you regularly survey premises to look for unauthorized equipment?o Is there any off-site equipment?
� How is this protected?
ENISA
PHYSICAL SECURITYo Do your personnel use portable equipment (e.g.,. laptops, smart phones) which can give
access to the data centre?� How are these protected?� How are these protected?
o What measures are in place to control access cards?o What processes or procedures are in place to destroy old media or systems when required to
do so?do so?� data overwritten?� physical destruction?
o What authorization processes are in place for the movement of equipment from one site to another?
� How do you identify staff (or contractors) who are authorized to do this?o How often are equipment audits carried out to monitor for unauthorized equipment removal?
46
o How often are checks made to ensure that the environment complies with the appropriate legal and regulatory requirements?
ENISA
ENVIRONMENTAL CONTROLSENVIRONMENTAL CONTROLS� What procedures or policies are in place to ensure that environmental issues do not cause an
interruption to service?� What methods do you use to prevent damage from a fire, flood, earthquake, etc?
o In the event of a disaster what additional security measures are put in place to protecto In the event of a disaster, what additional security measures are put in place to protect physical access?
o Both at the primary as well as at the secondary sites?� Do you monitor the temperature and humidity in the data centre?
o Air conditioning considerations or monitoring?o Air-conditioning considerations or monitoring?� Do you protect your buildings from lightening strikes?
o Including electrical and communication lines?� Do you have stand-alone generators in the event of a power failure?
o For how long can they run?o Are there adequate fuel supplies?o Are there failover generators?o How often do you check UPS equipment?
47
o How often do you check UPS equipment?o How often do you check your generators?o Do you have multiple power suppliers?
ENISA
ENVIRONMENTAL CONTROLSENVIRONMENTAL CONTROLS� Are all utilities (electricity, water, etc) capable of supporting your environment?How often is this re-evaluated and tested?
� Is your air-conditioning capable of supporting your environment?o How often is it tested?
� Do you follow manufacturers recommended maintenance schedules?� Do you follow manufacturers recommended maintenance schedules?
� Do you only allow authorized maintenance or repair staff onto the site?o How do you check their identity?
� When equipment is sent away for repair, is the data cleaned from it first?o How is this done?
48
ENISA
LEGAL REQUIREMENTSLEGAL REQUIREMENTSCustomers and potential customers of cloud provider services should have regard to their
respective national and supra-national obligations for compliance with regulatory frameworks and ensure that any such obligations are appropriately complied with.
The key legal questions the customer should ask the cloud provider are:� In what country is the cloud provider located?� Is the cloud provider’s infrastructure located in the same country or in different countries?� Will the cloud provider use other companies whose infrastructure is located outside that of the
cloud provider?� Where will the data be physically located?� Will jurisdiction over the contract terms and over the data be divided?� Will any of the cloud provider’s services be subcontracted out?� Will any of the cloud provider’s services be outsourced?� How will the data provided by the customer and the customer’s customers, be collected,
processed and transferred?
49
processed and transferred?� What happens to the data sent to the cloud provider upon termination of the contract?
Cloud Security Alliance (CSA)y ( )
50
Cloud Security Alliance (CSA) TaxonomyTaxonomy
51
Cloud Security Alliance (CSA) MappingMapping
52
Cloud Security Alliance (CSA)y ( )
Domain 4: Compliance and AuditWith Cloud Computing developing as a viable and cost effective means to outsource entiresystems or even entire business processes, maintaining compliance with your security policy And the various regulatory and legislative requirements to which your organization is subject can become more difficult to achieve and even harder to demonstrate to auditors and
assessors.
Of the many regulations touching upon information technology with which organizations mustcomply, few were written with Cloud Computing in mind. Auditors and assessors may not befamiliar with Cloud Computing generally or with a given cloud service in particular. That beingthe case it falls upon the cloud customer to understand:the case, it falls upon the cloud customer to understand:
• Regulatory applicability for the use of a given cloud service• Division of compliance responsibilities between cloud provider and cloud customer
C ’ f
53
• Cloud provider’s ability to produce evidence needed for compliance• Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor
Cloud Security Alliance (CSA)y ( )
RecommendationsRecommendations√ Involve Legal and Contracts Teams. The cloud provider’s standard terms of servicemay not address your compliance needs; therefore it is beneficial to have both legal andcontracts personnel involved early to ensure that cloud services contract provisions areadequate for compliance and audit obligations.
√ Right to Audit Clause. Customers will often need the ability to audit the cloudprovider, given the dynamic natures of both the cloud and the regulatory environment.provider, given the dynamic natures of both the cloud and the regulatory environment.A right to audit contract clause should be obtained whenever possible, particularlywhen using the cloud provider for a service for which the customer has regulatorycompliance responsibilities. Over time, the need for this right should be reduced and inmany cases replaced by appropriate cloud provider certifications related to ourmany cases replaced by appropriate cloud provider certifications, related to ourrecommendation for ISO/IEC 27001 certification scoping later in this section.
√ Analyze Compliance Scope. Determining whether the compliance regulations which
54
the organization is subject to will be impacted by the use of cloud services, for a givenset of applications and data.
Cloud Security Alliance (CSA)y ( )
Recommendations√ Analyze Impact of Regulations on Data Security. Potential end users of CloudComputing services should consider which applications and data they are consideringmoving to cloud services, and the extent to which they are subject to complianceg , y j pregulations.
√ Review Relevant Partners and Services Providers. This is general guidance forensuring that service provider relationships do not negatively impact complianceensuring that service provider relationships do not negatively impact compliance.Assessing which service providers are processing data that is subject to complianceregulations, and then assessing the security controls provided by those serviceproviders, is fundamental. Several compliance regulations have specific language aboutassessing and managing third party vendor risk. As with non-cloud IT and businessservices, organizations need to understand which of their cloud business partners areprocessing data subject to compliance regulations.
55
Cloud Security Alliance (CSA)y ( )
RecommendationsUnderstand Contractual Data Protection Responsibilities and Related Contracts. Thecloud service model to an extent dictates whether the customer or the cloud serviceprovider is responsible for deploying security controls. In an IaaS deployment scenario,p p p y g y p y ,the customer has a greater degree of control and responsibility than in a SaaS scenario.From a security control standpoint, this means that IaaS customers will have to deploymany of the security controls for regulatory compliance. In a SaaS scenario, the cloudservice provider must provide the necessary controls From a contractual perspectiveservice provider must provide the necessary controls. From a contractual perspective,understanding the specific requirements, and ensuring that the cloud services contractand service level agreements adequately address them, are key.
√√ Analyze Impact of Regulations on Provider Infrastructure. In the area of infrastructure,moving to cloud services requires careful analysis as well. Some regulatoryrequirements specify controls that are difficult or impossible to achieve in certain cloudservice types.
56
service types.
Cloud Security Alliance (CSA)y ( )
√ Analyze Impact of Regulations on Policies and Procedures. Moving data andapplications to cloud services will likely have an impact on policies and procedures.Customers should assess which policies and procedures related to regulations will haveto change. Examples of impacted policies and procedures include activity reporting,logging data retention incident response controls testing and privacy policieslogging, data retention, incident response, controls testing, and privacy policies.
√ Prepare Evidence of How Each Requirement Is Being Met. Collecting evidence ofcompliance across the multitude of compliance regulations and requirements is achallenge. Customers of cloud services should develop processes to collect and storeg p pcompliance evidence including audit logs and activity reports, copies of systemconfigurations, change management reports, and other test procedure output.Depending on the cloud service model, the cloud provider may need to provide muchof this informationof this information.
√ Auditor Qualification and Selection. In many cases the organization has no say inselecting auditors or security assessors. If an organization does have selection input, itis highly advisable to pick a “cloud aware” auditor since many might not be familiar
57
is highly advisable to pick a cloud aware auditor since many might not be familiarwith cloud and virtualization challenges. Asking their familiarity with the IaaS, PaaS,and SaaS nomenclature is a good starting point.
Cloud Security Alliance (CSA)y ( )
√ Cloud Provider’s SAS 70 Type II Providers should have this audit statement at a√ Cloud Provider s SAS 70 Type II. Providers should have this audit statement at aminimum, as it will provide a recognizable point of reference for auditors andassessors. Since a SAS 70 Type II audit only assures that controls are implemented asdocumented, it is equally important to understand the scope of the SAS 70 audit, andwhether these controls meet your requirements.
√ Cloud Provider’s ISO/IEC 27001/27002 Roadmap. Cloud providers seeking to providemission critical services should embrace the ISO/IEC 27001 standard for informationmission critical services should embrace the ISO/IEC 27001 standard for informationsecurity management systems. If the provider has not achieved ISO/IEC 27001certification, they should demonstrate alignment with ISO 27002 practices.
√ ISO/IEC 27001/27002 Scoping The Cloud Security Alliance is issuing an industry call√ ISO/IEC 27001/27002 Scoping. The Cloud Security Alliance is issuing an industry callto action to align cloud providers behind the ISO/IEC 27001 certification, to assure thatscoping does not omit critical certification criteria.
58
Contributors: Nadeem Bukhari, Anton Chuvakin, Peter Gregory, Jim Hietala, Greg Kane,Patrick Sullivan
MICROSOFT
59
Microsoft Azure Services
60
Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
Windows Azure Applications, Storage and RolesStorage, and Roles
n m
Web RoleLB Worker Role
Cloud Storage (blob, table, queue)
61
Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
MICROSOFT
Mi ft id t t th l d th h f thMicrosoft provides a trustworthy cloud through focus on three areas:
� Utilizing a risk-based information security program that assesses and i iti it d ti l th t t th b iprioritizes security and operational threats to the business
� Maintaining and updating a detailed set of security controls that mitigate risk
� Operating a compliance framework that ensures controls are designed� Operating a compliance framework that ensures controls are designed appropriately and are operating effectively
Microsoft is able to obtain key certifications such as International Organization for Standardization / InternationalInternational Organization for Standardization / International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) and Statement of Auditing Standard (SAS) 70 Type I and Type II attestations and to more efficiently pass
62
Type I and Type II attestations, and to more efficiently pass regular audits from independent third parties.
MICROSOFT
63
MICROSOFT
64
MICROSOFT
65
MICROSOFT
66
MICROSOFT
67
MICROSOFT
Microsoft Trustworthy Computing, home page: http://www.microsoft.com/twcMicrosoft Online Privacy Notice Highlights: http://www.microsoft.com/privacyThe ISO 27001:2005 certificate for the Global Foundation Services group at Microsoft:
http://www.bsi-global.com/en/Assessment-and-certification-services/Client-http://www.bsi global.com/en/Assessment and certification services/Clientdirectory/CertificateClient-Directory-Search-Results/?pg=1&licencenumber=IS+533913&searchkey=companyXeqXmicrosoft
Microsoft Global Foundation Services, home page: http://www.globalfoundationservices.comThe Microsoft Security Development Lifecycle (SDL): http://msdn.microsoft.com/en-The Microsoft Security Development Lifecycle (SDL): http://msdn.microsoft.com/en
us/security/cc448177.aspxMicrosoft Security Development Lifecycle (SDL) – version 3.2, process guidance:
http://msdn.microsoft.com/en-us/library/cc307748.aspxMicrosoft Security Response Center: http://www.microsoft.com/security/msrcMicrosoft Security Response Center: http://www.microsoft.com/security/msrcThe Microsoft SDL Threat Modeling Tool: http://msdn.microsoft.com/en-
us/security/dd206731.aspxMicrosoft Online Services: http://www.microsoft.com/online
68
CloudeAssurance.com
69
CloudeAssurance.com
70
CloudeAssurance.com
71
CloudeAssurance.com
72
CloudeAssurance.com
73
CloudeAssurance.com
74
Questions?Questions?
• Thank-you!
Email questions to [email protected] for materials slides etcRequests for materials, slides, etc.Keep in touch
75
