Security and Control in the Cloud

  • Published on
    17-Feb-2017

  • View
    214

  • Download
    0

Embed Size (px)

Transcript

  • This article was downloaded by: [Laurentian University]On: 09 October 2014, At: 19:57Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK

    Information Security Journal: A Global PerspectivePublication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/uiss20

    Security and Control in the CloudKlaus Julisch a & Michael Hall ba IBM Research GmbH , Rschlikon, Switzerlandb Forbes Sinclair , Madrid, SpainPublished online: 19 Nov 2010.

    To cite this article: Klaus Julisch & Michael Hall (2010) Security and Control in the Cloud, Information Security Journal: AGlobal Perspective, 19:6, 299-309, DOI: 10.1080/19393555.2010.514654

    To link to this article: http://dx.doi.org/10.1080/19393555.2010.514654

    PLEASE SCROLL DOWN FOR ARTICLE

    Taylor & Francis makes every effort to ensure the accuracy of all the information (the Content) containedin the publications on our platform. However, Taylor & Francis, our agents, and our licensors make norepresentations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of theContent. Any opinions and views expressed in this publication are the opinions and views of the authors, andare not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon andshould be independently verified with primary sources of information. Taylor and Francis shall not be liable forany losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoeveror howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use ofthe Content.

    This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in anyform to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions

    http://www.tandfonline.com/loi/uiss20http://www.tandfonline.com/action/showCitFormats?doi=10.1080/19393555.2010.514654http://dx.doi.org/10.1080/19393555.2010.514654http://www.tandfonline.com/page/terms-and-conditionshttp://www.tandfonline.com/page/terms-and-conditions

  • Information Security Journal: A Global Perspective, 19:299309, 2010Copyright Taylor & Francis Group, LLCISSN: 1939-3555 print / 1939-3547 onlineDOI: 10.1080/19393555.2010.514654

    Security and Control in the CloudKlaus Julisch1 and MichaelHall21IBM Research GmbH,Rschlikon, Switzerland2Forbes Sinclair, Madrid, Spain

    ABSTRACT Cloud computing is a new IT delivery paradigm that offerscomputing resources as on-demand services over the Internet. Like all formsof outsourcing, cloud computing raises serious concerns about the security ofthe data assets that are outsourced to providers of cloud services. To addressthese security concerns, we show how todays generation of information secu-rity management systems (ISMSs), as specified in the ISO/IEC 27001:2005,must be extended to address the transfer of security controls into cloud envi-ronments. The resulting virtual ISMS is a standards-compliant managementapproach for developing a sound control environment while supporting thevarious modalities of cloud computing.

    This article addresses chief security and/or information officers of cloudclient and cloud provider organizations. Cloud clients will benefit from ourexposition of how to manage risk when corporate assets are outsourced tocloud providers. Providers of cloud services will learn what processes and con-trols they can offer in order to provide superior security that differentiates theirofferings in the market.

    KEYWORDS cloud computing, Security, ISMS, IS027001

    Address correspondence toKlaus Julisch, IBM Research GmbH,Sumerstrasse 4, 8803 Rschlikon,Switzerland. E-mail: kju@zurich.ibm.com

    1. INTRODUCTION TO CLOUDCOMPUTING

    Cloud computing is a new formula of delivering computing resources, not anew technology. Specifically, cloud computing provides computing resourcesas on-demand services that are hosted remotely, accessed over the Internet,and generally billed on a per-use basis (Chong & Carraro, 2006; Catteddu& Hogben, 2009; Datamonitor, 2009). There are three types of computingresources that have been provided in the cloud:

    Software as a Service (SaaS): This is application software that is hostedby third parties and provided as a service over the Internet. Examples ofSaaS include Google Docs, Salesforce.com, and Web mail services such ashotmail.com.

    Platform as a Service (PaaS): These are platforms consisting of devel-opment tools and a runtime environment. Cloud customers use thedevelopment tools to program their own applications against theApplication Programming Interface (API) of the runtime environment.

    299

    Dow

    nloa

    ded

    by [

    Lau

    rent

    ian

    Uni

    vers

    ity]

    at 1

    9:57

    09

    Oct

    ober

    201

    4

  • Subsequently, the applications are deployed tothe runtime environment where they are exe-cuted. Examples of PaaS include Microsoft Azure,Force.com, and Google Apps.

    Infrastructure as a Service (IaaS): These are low-level computing resources such as virtual machinesor storage which are provided on-demand overthe Internet. Examples include Amazons ElasticCompute Cloud (Amazon EC2) and Carbonitesbackup service.

    Many additional examples of SaaS, PaaS, and IaaS ven-dors and offerings can be found in the cloud taxonomyby OpenCrowd (2009).

    Cloud computing is a type of outsourcing. As such,it is similar to classic information technology (IT) out-sourcing, where a client transfers the custody of parts ofits information system to a service provider. The serviceprovider assumes responsibility for the clients infor-mation system and operates it in accordance with thecontractual terms that the client and provider agreedupon (Cullen & Willcocks, 2003; Gewald & Helbig,2006). These contractual terms, which define the coop-eration between outsourcing clients and providers, arecalled Service Level Agreements, or SLAs.

    The defining characteristic of classic IT outsourcing(compared to cloud computing) is that the outsourcingprovider offers a customized and unique service that doesexactly what the client requests at the clients terms, ina well-controlled and discrete environment. Cloud com-puting, by contrast, offers highly standardized servicesthat are provided cheaply by serving multiple cus-tomers from a shared IT infrastructure (Brunette &Mogull, 2009; Datamonitor, 2009). Of course, cloudservices offer some degree of customizability, but cloudservices are basically commoditized one-size-fits-allofferings. Further, the use of a shared IT infrastruc-ture across clients destroys any clients ability to affordthe same level of control known from classic IToutsourcing.

    Cloud computing is a sizeable and rapidly growingmarket. According to International Data Corporation(IDC), a leading provider of the market intelligenceand advisory services, the worldwide market for cloudcomputing was approximately $17.4 billion in 2009and is estimated to reach $44.2 billion by 2013(Gens, Mahowald, & Villars, 2009). This rapid mar-ket growth is driven by the following benefits of cloudcomputing:

    Low cost: Typical enterprises dedicate 5070% oftheir IT budgets to routine system maintenancetasks (Datamonitor, 2009; States & Lindquist, 2008).This overhead can be reduced by outsourcing non-strategic services to cloud providers, which use theirscale economies and experience curve effects (Hax& Majluf, 1982) to provide commoditized servicesmore cheaply (Reeves, 2009A).

    On demand: In a recent Goldman Sachs (2009) sur-vey, 51% of respondents saw the key benefit ofcloud computing in the ability to elastically scale tomeet peak workloads and future demand. A relatedbenefit is the usage-based pricing model where cus-tomers only pay for compute resources consumed(Datamonitor, 2009; Reeves, 2009A).

    Short time-to-market: It is faster to procurecloud services than develop the same functionalityin-house. The ability to deliver results fast is anotherbenefit of cloud computing (Roth, 2008).

    Inhibitors to the adoption of cloud computinginclude security, business continuity and control con-cerns, reliability concerns, fears of vendor lock-in,migration costs, reduced customizability, integrationdifficulties, as well as uncertainties about the businesscase and the legal implications (Catteddu & Hogben,2009; Datamonitor, 2009; Roth, 2008; Reeves, 2009A).This article addresses the security and control concernsand shows how information security management sys-tems (ISMSs) can be extended to overcome them.

    2. STATE OF THE ART IN CLOUDSECURITY

    Section 1 defined cloud computing as a new ITdelivery model. This definition by itself does not implyany new security challenges. For example, an organiza-tion could task its internal IT departments to deliverall computing resources as cloud services. From a secu-rity and control point of view, this is very much akinto classic in-house IT delivery. New security challengesarise, however, in the public cloud (Brunette & Mogull,2009; Reeves, 2009A) where a cloud provider offerscloud services to any (paying) client. Some of theseclients may be internal business units of the cloudprovider, but most clients will be external legal entities,for example, other companies. The defining character-istic of public clouds is that SLAs are used to stipulatethe legal accountability between cloud providers and

    K. Julisch and M. Hall 300

    Dow

    nloa

    ded

    by [

    Lau

    rent

    ian

    Uni

    vers

    ity]

    at 1

    9:57

    09

    Oct

    ober

    201

    4

  • their clients. This article focuses on security in pub-lic clouds, and the term cloud is henceforth usedsynonymously with public cloud.

    In using (public) cloud services, a Cloud Client (CC)places select organizational assets in the custody of aCloud Provider (CP). In doing so, the CC cedes con-trol over these assets to the CP, and yet the CC retainsaccountability for the security and regulatory compli-ance of these assets. This creates risks, which havemade some enterprises hesitant to sign up for cloudservices (Catteddu & Hogben, 2009). CPs understandthis problem and have responded by offering SAS-70,ISO-27001, or other security certifications to proofthe quality of their risk-mitigating controls (Salesforce,2008; Schadler, 2009; Amazon, 2010). Further, someCPs such as Intacct.com or Google offer Service LevelAgreements to facilitate a risk transfer (Intacct, 2010;Google, 2010A; Amazon, 2008). All of these schemesare important, but taken in isolation, they have impor-tant shortcomings:

    1. Formal Registrar Security Certification audits havethe problem of being infrequent (typically everythree years). The CC therefore receives infrequentsnap shots of the CPs control environment andhas to trust that everything is OK between cer-tifications. This setup is increasingly unacceptableto many CCs who, at any moment, may be heldaccountable by their stakeholders for the securityand compliance of their own information systems.

    2. It is important to understand that SAS 70 certifica-tion is not a stamp of approval (even though it issometimes marketed that way). This is because SAS70 is a framework for conducting audits. It does notcertify any specific controls or control objectives.Rather, each CP defines for itself the controls andcontrol objectives that it wants to be certified for(AICPA, 1992). These controls and control objec-tives are documented in the SAS 70 audit report.Prospective clients should always consult this report(rather than relying on the SAS 70 compliantlabel) to determine if the controls of a CP meet theirrequirements (Brunette & Mogull, 2009). SSAE 16and ISAE 3402, the successor standards of SAS 70,improve on these issues by requiring the CP to morefully disclose its system and control environment(Thompson, Griffin, & Bialick, 2010).

    3. The SLAs offered by CPs tend to be conser-vative in the sense that they offer only small

    penalty payments and their commitments arefocused on availability rather than data integrityor confidentiality (Amazon, 2009; Google, 2010A;Maiwald, 2009; Mather, Kumaraswamy, & Latif,2009). Further, cloud-SLAs are typically standard-ized and unable to meet the specific security require-ments of individual customers (Goertzel et al.,2009).

    4. SLAs are an intrinsically imperfect risk treatmentstrategy. In theory, they transfer the risk to theCP. In practice, however, the CPs responsibilityends with a (frequently small) penalty payment andthe potential loss of the customer(s) affected bya control failure. The CC, by contrast, remainsaccountable towards its own customers, regulators,and directors for any failures, and there are fewlimits to the cost that such accountability can entail.

    While generally insufficient by themselves, SLAs,certifications, and audits are important building blocksof cloud security. In this article, we show how theseand other risk treatment methods can be combinedinto a single consistent framework, called the virtualISMS. An ISMS is the set of processes, policies, andmechanisms that an organization uses to establish,implement, operate, monitor, and improve informa-tion security (ISO, 2005A). A virtual ISMS extends thisconcept so it becomes suitable for virtual enterpriseswhere IT services are partially outsourced to CPs.

    This article is targeted at CIOs and CSOs of cloudclient and cloud provider organizations. CCs will findthat the virtual ISMS offers a structured way for man-aging risk and protecting corporate assets that areoutsourced toCPs. This benefit is shared byCPs. AsCPsuse shared and standardized infrastructures to delivercloud services cheaply, they cannot offer customizedprovisions to individual clients. Using the virtual ISMSto manage security in a standardized and scalable way isof real benefit to CPs. In addition, CPs will draw valuefrom our discussion of ways to improve security andthereby differentiate their offering in the marketplace.

    3. THE CONVENTIONAL ISMSThe ISO/IEC Standard 27001:2005 defines an

    ISMS as the set of processes, policies, and mecha-nisms that are used to establish, implement, operate,monitor, review, maintain, and improve informationsecurity (ISO, 2005A). The standard further prescribes

    301 Security and Control in the Cloud

    Dow

    nloa

    ded

    by [

    Lau

    rent

    ian

    Uni

    vers

    ity]

    at 1

    9:57

    09

    Oct

    ober

    201

    4

  • that ISMSs follow the Plan-Do-Check-Act (PDCA) pro-cess, or Deming Cycle. The PDCA cycle acknowledgesthat information security is not a product that onceinstalled, makes a system secure. Rather, informa-tion security is achieved by a process of continuousimprovement and adjustment to the inevitably chang-ing threats, technologies, and business processes. Thefour steps of the PDCA process are as follows:

    The Plan step defines the scope of what is tobe protected; it further performs a risk assessmentand defines...

Recommended

View more >