Cloud Computing - understanding security risk

and management

The aim of this paper is to make cloud service consumer aware about cloud

computing fundamentals, its essential services, service models and

deployment options. This also through light on security and risk

management piece of CSA trusted cloud reference architecture, cloud

control matrix and notorious nine threats and ENISAs top risks to cloud

computing. At the end it talks about certifications and attestation part.

Author –

Shamsundar

Machale (CISSP)

Fig.1 NIST Visual Model of Cloud Computing Definition

Any cloud should demonstrate the certain essential characteristics to

get full benefits of cloud. Any missing essential characteristic would

not give you 100% benefit from cloud computing.

Whatever is not your core, outsource it. Similarly maintaining capex IT

infrastructure, information is not your core so outsource it to some

specialized agency i.e. Cloud Service Provider (CSP)

Multi-tenancy is the fundamental used in resource pooling but keep in

mind that resource pooling is not limited to your server and storage, it

is extended to network connectivity, physical security, administration

of cloud services and last but not least is your facility space. CSP uses

the same infrastructure to provide services to multiple clients from

same or different geographies. This provides great benefit to Cloud

consumer (CC) by not having direct capital investment and pay per use

model of cloud. Only required amount of compute, storage etc. are

provisioned and no extra investment is done by CC. At the same time

resource pooling might become huge risk if attacker uses shared

pooled resource to steal sensitive information processed by CC. this is

possible through attacks such as guest hopping attack or side channel

attack to capture cryptographic keys.

Second essential characteristic is on-demand self-service. The CC

should be able to do the provisioning / de-provisioning of computing

What is definition of Cloud

Computing?

Cloud computing is model for

enabling continent, on-demand

network access to a shared pool

of configuration computing

resources (e.g. networks,

servers, storage, applications,

and services) that can be rapidly

provisioned and released with

minimal management efforts or

services provider interaction

The above NIST definition

defines in what way you can

deploy cloud, what service

offerings you can make available

and what are the essential

characteristics of cloud

Fig. 1 represents the visual

model of above NIST cloud

computing definition.

Let’s take a deeper look into the

definition.

resources by themselves with minimum administrative involvement from CSP. The lead time required

doing the provisioning and de-provisioning should be reduced significantly.

Rapid elasticity means CC should be able to do expansion and contraction of services as per their

requirements with immediate effect and it will be charged on pay per usages policy. There should not be

any locking CSP side while reducing the required level of resources.

As there is trend of BYOD and consumerization, people want to access applications locations and end

device independent which essentially means there should not be any restriction on your work location,

it can be work from office, home or cafe and how do you access it, is it through your desktop, laptop,

smartphone or tablet.

Lastly CC should be able to measure services offered by CSP through SLA.

Let’s take a look at service offering models; there are typically three kind of service offering models as

below

IaaS (Infrastructure as a Service) – Here you will get only infrastructure like compute and storage. This is

nothing but plain vanilla virtual machine with operating system e.g. Amazon EC2 and S3, Rackspace etc.

PaaS (Platform as a Service) – Here you expect little bit more from CP which will help in development of

applications on provided infrastructure. It includes development tools, configuration management and

deployment platforms such as Microsoft Azure, Force and Google App engine.

SaaS (Software as a Service) – this is full package of application, CC has to just use it and don’t worry

how and where it is running, who is managing the show? It is pure service such as online CRM system

(Salesforce.com), online office tools (Office 365), online content filtering and messaging etc.

As you move from IaaS to SaaS CC loses control on the services whereas CSP gains more control which is

depicted in below figure.

Fig-2

Now we will look at third tier of cloud computing definition which is nothing but deployment options. As

you seen in the above visual model there are four ways in which cloud services can be deployed.

Public Cloud – Available publicly, multiple customers can avail same services with different SLA

commitments

Private Cloud – Build specifically for single customer and available to only one customer

Community Cloud – Services can be offered to same of customers which are forming community such as

cloud services for power generation companies, cloud services for manufacturing industry etc.

Hybrid Cloud – Combination of any of the above

Below table provides more information about the deployment models

Fig.3

As mentioned above security of cloud services is joint responsibility

of CC and CSP which purely depends on the service offering.

As per CSA’s “ Trusted cloud Reference Architecture version 2.0 “,

Security and Risk Management is one of the key building block to

focus if you want to build trusted cloud

Fig.4 CSA Trusted cloud security reference arcthitecture

This block basically talks about below domains.

Governance Risk and Compliance - how are you going to manage

governance, risk, audit, vendor, policy and awareness around CSP

support staff?

InfoSec Management – capability management, risk portfolio, risk

dashboard, and residual risk management

Privilege Management Infrastructure – This purely focuses around

how effectively you manage the identities in the cloud. How secure

is your authentication service? How do you manage authorization

and accountability of identities in the cloud? How privilege identities

are handled?

Threat and Vulnerability Management - How do you keep

environment vulnerability free, up to date with latest patches and

assurance on compliance testing to CC.

What is Security for Cloud

Computing?

As per CSA, Security

controls in cloud

computing are, for the

most part, no different

than security controls in

any IT environment.

However, because of the

cloud service models

employed, the operational

models, and the

technologies used to

enable cloud services,

cloud computing may

present different risks to

an organization than

traditional IT solutions.

This means we have to

focus on defense in depth

approach for security in

cloud computing

The focus of defense in

depth approach is always a

data at center and

different type of controls

such as Administrative,

Technical and Physical are

wrapped around data.

For example physical

security has the same

importance in both

traditional data center and

cloud based datacenter.

Infrastructure Protection Services - How do you protect your applications, operating systems on

servers, databases, network and end points. What kind of technical controls are put around these? Do

you have perimeter firewall at network level, whether servers are locked down as per hardening

guidelines, do you have Anti-virus, HIPS / HIDS installed at the end points, logging and monitoring

enabled, application level firewall and web content filtering

Data Protection – how well are you managing the data lifecycle, what controls are placed to prevent the

Data loss, how are you protecting your intellectual properties and how effective is your cryptographic

service management.

Policies and Standards – Have you defined information security policies, guidelines based on different

industry standards like ISO 27001. Whether operational security baseline and standard operating

procedures defined and followed within the organization. Whether asset / data classification guidelines

are defined and practiced within team.

CSA has defined the Cloud Controls Matrix which provides fundamental security principles to guide

cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider. The

latest version of Cloud Controls Matrix is CCM v3.0.1

As per this control matrix there are 133 controls divided into 16 domains of CSA cloud security.

Fig.5 CCMv3.0.2 Domains

Risk Management is one of the important aspect of cloud computing. There is no different strategy for

management of risk in the cloud. You have to follow the conventional approach of performing the risk

assessment based on certain framework and management of these risk either through risk mitigation by

use of certain controls, transfer, avoid or accept the risk. As per ENISA’s “ Cloud Computing Benefits,

risks and recommendations for information security Rev.B-2012 ” document cloud risks are classified

into three categories “Policy and Organizational Risks”, “Technical Risks”, and “Legal Risks”

Below figure represents the top rated risk identified by ENISA based on the probability and impact of the

risk.

Fig.6 ENISA top security risks to cloud computing

If you refer to below table which list down “ The Notorious Nine – Cloud Computing Top Threats in

2013” you will find certain risk / threats are common in both the documents such as Malicious Insider /

Cloud Provider Malicious Insider, shared technology issue / isolation failure, insecure APIs /

Management interface compromise

Fig.7 – Notorious Nine Threats to Cloud Computing

Data Breaches Data Loss Account Hijacking

Insecure APIs Denial of Service

Malicious Insiders

Abuse of Cloud Services

Insufficient Due Diligence

Shared Technology

Issues

Security Certification and Attestations – CSPcan provide the assurance to CC on current compliance level

with respect to different standards, legal and regulatory requirements through certain security

certifications and attestations.

Below figure provides the security certifications obtained by different CSPs. This is just a reference and

CC is kidnly reuquested to obtain list of current certifications during evaluation of CSP

Fig.8 – Security Certifications and Attestations

Conclusion - Cloud computing is double edged sword which provides good amount of

benefits but only if implemented properly considering all security, governance, privacy and

legal requirements. Risk assessment and due diligence would be the key for cloud

consumers to make their case as success story.

References –

“CSA Trusted cloud Reference Architecture version 2.0”

“CSA Cloud Controls Matrix, CCM v3.0.1”

“The Notorious Nine – Cloud Computing Top Threats in 2013”

ENISA’s “Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012”

The Forrester Wave™: Public Cloud Platform Service Providers’ Security, Q4 2014

END OF DOCUMENT