“Cloud Computing”: networked and distributed services. Your considerations do not change:
- Information Availability
- Information Confidentiality
- Information Integrity
Specific aspects of those considerations should not be neglected:
- Abuse of Service (including abuse of trial periods, attack upon other services)
- Abuse of interfaces and APIs
- Abuse of trust, malicious insiders
When third parties are involved (“public cloud”, “shared tenants”), specific aspects should not be neglected:
- Shared Technology Issues
- Data Loss or Leakage
- Account or Service Hijacking
- Unknown Risk Profile
- Breach Investigation
While the cloud service provider may be responsible for many aspects of security, some may be out of their control.
- Can I identify which users are sharing data, and what data are they sharing?
- Can I identify where users are accessing SaaS services and data?
- Can I enforce a policy that prevents, restricts or details access from undesirable devices, unwanted behavior, geographic regions and IP addresses?
- How can I ensure that my organization is proactively recommending a SaaS application (CRM, storage or productivity) that is business-ready?
- How can I detect (and then deny) malicious actors who have accessed my applications yet have valid user credentials?
- If my cloud service does not have the compensating controls I need (encryption, tokenization or data loss prevention), how can I mitigate this?
- As a cloud service provider, your concerns and measures are somewhat traditional. As a cloud service consumer, your concerns are traditional but your measures are not.
Trust, but verify. How does a cloud service consumer verify the cloud service provider’s procedures? What auditing authority would place a seal of approval upon a third party service provider’s processes? For example, you would not want customers to be conducting penetration tests against your shared service provider. You would not want your cloud service provider to report that they passed their penetration test (was the test of any value if the summary is “passed”?). Neither would you want your cloud service provider to be reporting the ways in which their penetration test failed. You do want to know that the cloud service provider’s processes are continuously reviewed. You do want a standardized measure reported, which would appear to mean that an independent agency should be monitoring the cloud service provider and issuing the standardized measure.
See also: Information security professionals baulk at putting sensitive data in cloud (Infosecurity Magazine, 11-May-2012)
Follow Peter Mell’s Federal Cloud Blog.
See and use the tools Netflix uses; Security Monkey is akin to a Tripwire for Amazon Web Services in that it identifies changes and misconfigurations of AWS components and configuration items.
A list of tools you can use to security test your Amazon AWS services: A list of different tools that you can deploy to test AWS infrastructure. Remember to fill out the form when doing testing like this.
- prowler – Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark [pdf]
- nccgroup/Scout2 – Security auditing tool for AWS environments
- cloudsploit/scans – AWS security scanning checks
- The Amazon Inspector – Automated security assessment service to help improve
the security and compliance of applications deployed on AWS.
- Netflix/security_monkey – Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations
- Zeus – AWS Auditing & Hardening Tool
“Is (insert vendor here) compliant with (insert regulation here)?” is probably not the question you want answered. You probably want to know if customers of (insert vendor here) have used the vendor’s service as part of a (insert regulation here) compliant process, and, if so, what was required? There will be weaknesses which the vendor must address, and weaknesses which the customer must address in order pass a (insert regulation here) audit.
Cloud Computing: What Accountants Need to Know by Alexandra Defelice, in the October 2010 issue of the Journal of Accountancy, indicates that this standardized measure exists and is being improved.
First and foremost, make sure the vendor uses a data center that has received an AICPA Service Organization Controls Report (SOC), formerly known as a SAS 70 report. For purposes of this article, a vendor is considered the user, and the data center is the service organization. The AICPA developed the guidance to provide a highly specialized examination of a service organization’s internal control. There are three types of SOC reports:
- AICPA SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) no. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of user entities’ management and their auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions.
- AICPA SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy. These reports, prepared using the AICPA guide Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy (currently under development), are intended for users that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of the users’ oversight of the service organization; vendor management; and internal corporate governance and risk management.
- AICPA SOC 3: Trust Services Report (Trust Services Principles, Criteria, and Illustrations) (AICPA, Technical Practice Aids, vol. 1, (TPA sec. 100) commonly referred to as SysTrust reports). These reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not need the level of detail provided in a SOC 2 Report. These reports are general use reports and can be freely distributed or posted on a website as a seal.
SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. SSAE 16 was formally issued in April 2010 with an effective date of June 15, 2011. You can order a copy of SSAE 16 from the AICPA’s online store at http://www.cpa2biz.com – publication number 023035.
Cloud Security Alliance (CSA) offers guidelines. CSA announced that it has received a no‑cost license for the CloudTrust Protocol (CTP) [pdf] from Computer Sciences Corporation (CSC). The CTP is being integrated as the fourth pillar of the CSA’s cloud Governance, Risk and Compliance (GRC) stack.
The CSA’s GRC stack provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.
The CSA’s GRC stack is an integrated suite of CSA initiatives — CloudAudit, Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire — available for free download.
Through this licensing agreement, the CSA plans to integrate the CloudTrust Protocol (CTP) into this stack and distribute it at no charge to enterprises, consumers and cloud service providers, enabling them to bring workloads more efficiently to the cloud.
The CTP was created by Computer Sciences Corporation (CSC) to provide the cloud consumer with the right information to confidently make choices about what processes and data to put into what type of cloud, and to sustain information risk management decisions about cloud services.
It provides transparency into cloud service delivery, offering cloud consumers important information about service security and cloud service providers with a standard technique to prepare and deliver information to clients about their data. In so doing, the CTP generates the evidence needed to verify that all of a company’s activity in the cloud is happening as described.
The Cloud Security Alliance (CSA) has announced additional details of its Open Certification Framework, and its partnership with BSI (British Standards Institution). This partnership will ensure the Open Certification Framework is in line with international standards and is based upon a comprehensive certification process.
IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud from Information Systems Audit and Control Association (ISACA).
The PCI Data Security Standard (PCI DSS) 2.0 Virtualization Special Interest Group [pdf] offers recommendations for cloud computing environments.
The following list summarizes frameworks and sources of advice:
- ISO/IEC 27001-27005
- AICPA/CICA Trust Services (SysTrust and WebTrust)
- Cloud Security Alliance Controls Matrix
- BITS Shared Assessment Program
- Jericho Forum Self-Assessment Scheme (SAS)
- CSA Shared Assessments
- ENISA Procure Secure
- German BSI Security Recommendations for Cloud Computing Providers.
- NIST Cloud Computing Synopsis and recommendations
The Vyatta Network OS delivers advanced network security and connectivity in a cloud-ready, virtualization optimized, software appliance. Vyatta’s on demand software approach to cloud security offers cloud providers and enterprises the unique ability to easily provision, deploy, secure and manage flat and complex n-tier networks within a customer environment. Much more than a simple gateway or firewall solution, the Vyatta Network OS offers enterprise-class stateful firewall, IPsec VPN, SSL-based OpenVPN, network intrusion prevention, secure web filtering, dynamic routing and more to enable per customer or per server security and connectivity.
As a cloud services consumer, the best practices to reduce risk in cloud computing contracts are:
IT procurement or sourcing managers challenged with finding sourcing options that reduce costs at tolerable risks should examine nine contractual terms to reduce risk in cloud contracts, according to Gartner.
The cloud delivery model is gaining popularity, but it includes risks that are often unclear or overlooked when assessing the appropriateness of the sourcing model.
“Cloud solutions often appear to have lower initial and switching costs than traditional solutions, but include hidden costs and risks, and require unique terms for contract protection, compared to traditional arrangements,” said Alexa Bona, research vice president at Gartner. “Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach. The starting point contractually often favors the vendor, resulting in a potential misalignment with user requirements.”
When assessing cloud offerings’ procurement and sourcing, executives need to understand what can be negotiated relative to risk elements, what they need to pressure cloud providers to offer, and what will likely not be negotiated.
The nine key terms to understand in cloud deals to mitigate excessive risk include:
Uptime guarantees. Despite the significant business-criticality of certain cloud applications, Gartner analysts have seen numerous contracts that have no uptime or performance-service-level guarantees at all, or that are only provided as a changeable URL link. Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually, ideally with penalties, if the performance standards are not achieved.
Service-level agreement penalties. For service-level agreements (SLAs) to be used to steer the behavior of a cloud service provider, they need to be accompanied by financial penalties. If downtime or performance service levels are not met, negotiate penalties and escalation clauses. Rather than credits, money back is preferable, in terms of your negotiating leverage and pressure on the provider, because no vendor likes to have to give money back, once booked.
Watch out for SLA penalty exclusions. More cloud providers realize that they need to add guarantees and quality measures for the services they sell in the cloud. To manage their risks, cloud providers usually put rigid penalty exclusion criteria into their contracts. Organizations should look carefully at exclusions to the right to penalties. For example, they should ensure that any downtime calculation starts exactly when the downtime commences.
Security. As part of the cloud-sourcing strategy, procurement and security executives should ensure that the provider’s security practices are at the same level as, or exceed, their own security practices, especially if the company falls under industry or national privacy-related regulations. Gartner recommends negotiating SLAs for security, especially for security breaches. The analysts suggest immediate notification of any security or privacy breach as soon as the provider is aware of it.
Business continuity and disaster recovery. Cloud contracts rarely contain any provisions about disaster recovery or provide financially backed recovery time objectives. Some infrastructure as a service (IaaS) providers don’t even take responsibility for backing up customer data. If organizations are prepared to back up their data within the enterprise, or some other cloud service, and have the ability to use that data within an application, then they need to confirm that their provider has a suitable API or other mechanism to accommodate the organization taking responsibility for disaster recovery.
Data privacy conditions. If the cloud provider is complying with privacy regulations for personal data on behalf of the organization, the client needs to be explicit about what they are doing and understand any gaps. Contracts should unequivocally state that the cloud provider will not share personal data with anybody else (this becomes more complicated if they have to share data with a third party — e.g., a cloud infrastructure provider — which is common for many software as a service [SaaS] solutions) and that they will only do what the customer (the data controller) says they should do.
Suspension of service. Some cloud contracts state that if payment is more than 30 days overdue (including any disputed payments), the service can be suspended by the provider. This gives the cloud provider considerable negotiation leverage in the event of any dispute over payment. Organizations should negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service. Some providers are removing disputed payments from this clause.
Termination. A number of cloud contracts allow the provider to terminate the agreement with 30 days of a written notice, or at least within 30 days of renewal. Users should negotiate for at least six-months notice for the provider to terminate, unless they have materially breached the contract.
Liability. Most cloud contracts restrict any liability apart from infringement claims relating to intellectual property to a maximum of the value of the fees over the past 12 months. Organizations should try to negotiate for higher liability protections. Leverage the fact that these providers would have liability insurance to achieve higher caps, and be prepared to walk away if this issue is not resolved.
Administration of Cloud Services
If you administer an application from the cloud, do you have alternative administrative controls? Suppose, for example, that you use a cloud-based service to administer your internal network vulnerability scanning. Inappropriate configuration of the cloud service could exhaust your internal network bandwidth. How would you terminate this service? If you must use your internal network to terminate the cloud service, but the cloud service is monopolizing your internal network, you will need to find an approach to break that deadlock.
Breach notification laws do not make exceptions for cloud environments. Does your contract require the cloud service provider to notify you if their service has been breached? Does your incident response procedure include mechanisms you can use to investigate a breach?
Web-based single sign-on (SSO) presents a set of risks to be aware of. See “Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services” [pdf].
FireHost, a Secure cloud hosting company, reports Cross-site Scripting (XSS), Directory Traversals, Cross-site Request Forgery (CSRF), and SQL Injection attack types. Verizon, it is 2012 Data Breach Investigations Report, reports that the successful breaches take place against data hosted internally, owned by the victim (organization) and managed by internal IT staff.
Microsoft on Cloud Security
In Cloud Computing Security Benefits Dispel Adoption Barrier for Small to Midsize Businesses Microsoft points out security benefits to cloud services.
35 percent of U.S. companies surveyed have experienced noticeably higher levels of security since moving to the cloud.
32 percent less time each week managing security than companies not using the cloud.
How is the level of security measured?
General best practices
Network security groups are like firewall rules, you can use them to protect your VMs from brute force attacks.
Disable RDP/SSH Access to Azure Virtual Machines. Enable a Point-to-site VPN
Note: Address access control issues with Xceedium Xsuite™. Xsuite Cloud provides customers with a unified way to control, audit and continuously monitor all privileged access to the AWS Management Console and critical infrastructure deployed across the Amazon Elastic Compute Cloud (EC2) and Amazon Virtual Private Cloud (VPC), as well as other private clouds, on premise systems, or any combination thereof.