SECURITY IN THE CLOUD

Part 1 – Guarantees for Cloud Security

White Paper, November 2012

SECURTY IN THE CLOUD – PART 1

Copyright© 2013, Zimory GmbH 1

TABLE OF CONTENTS

Introduction and Problem Description ........................................................ 2

Security vs. Decision of Moving to the Cloud ............................................. 2

Market Perspectives for Virtualization............................................................................ 3

Cloud Security Best Practices ........................................................................................ 4

Benefits of Cloud Security .......................................................................... 5

Security Implications in the Zimory Cloud Suite ......................................... 5

Security Standards and Testing Procedures: The Zimory Cloud Suite case ................ 5

Conclusion ................................................................................................. 7

Contact Information .................................................................................... 8

SECURTY IN THE CLOUD – PART 1

Copyright© 2013, Zimory GmbH 2

INTRODUCTION AND PROBLEM DESCRIPTION

The Cloud stopped being a trend, it is now a reality. However, some aspects of the Cloud

cause of hesitation for both customers considering moving to the Cloud and Cloud

Service Providers.

The Cloud has intrinsic and dynamic characteristics of proactivity and interaction. From

the customer's point of view, they might seem difficult to control with conventional IT

security standards. Cloud computing security is, in reality, not isolated from the standard

IT security and data protection policies and regulations.

Main security concerns are:

Data protection

Sharing of resources

Differences in country legislations

The following document analyzes on one hand, security in virtualized environments from

the Cloud customer’s point of view, justifying the importance of customer awareness

about security issues in the Cloud.

The second part of this white paper puts Zimory as an example of Cloud management

services, meeting high quality and security standards. This section includes the

description of penetration tests performed by one of Zimory’s customers in order to

observe responses of the Zimory Cloud Suite, facing simulated attacks.

SECURITY VS. DECISION OF MOVING TO THE CLOUD

When deciding to move to the Cloud, customers must demand to openly discuss have

with Cloud Service Providers and vendors any security doubt or question they may have.

Clarity and efficiency are a must when dealing with these issues on any IT environment.

Even more so in Cloud Computing environments where elements that are by definition

intrinsic to them (abstracted resources, scalability and flexibility, shared resources,

programmatic management, etc.) can create some uncertainties for all parties involved.

As stated by the European Network and Information Security Agency (ENISA),”Cloud’s

economies of scale and flexibility are both a friend and a foe from a security point of view.

SECURTY IN THE CLOUD – PART 1

Copyright© 2013, Zimory GmbH 3

The massive concentrations of resources and data present a more attractive target to

attackers, but cloud-based defenses can be more robust, scalable and cost-effective”1.

Security issues can be a major question mark for businesses hesitating to move to the

Cloud. The Cloud with its innovative technology has also found effective means to face

and resolve these issues in order to provide guarantees.

MARKET PERSPECTIVES FOR VIRTUALIZATION

Regarding virtualization projections in the IT market, the following chart presents

Gartner's predictions regarding the progression of virtualization by 2015:

Figure 1. Progress towards Virtualization

Source: Gartner (May 2012)

Based on the previous chart, it is important to mention basic principles regarding the

transition from the “physical” security environment to a virtualized security environment2,

such as:

Management consoles: Often being the target of an attack.

Multi-tenancy and shared resources.

Compromising the hypervisor.

1 Catteddu, Daniele and Hogben, Giles: “Cloud Computing Security Risk Assessment”. European Network and

Information Security Agency- ENISA: 2009.

2 For more details regarding this transition, see “Security in the Cloud- Part II:

Threats and Solutions”. Zimory, 2012.

SECURTY IN THE CLOUD – PART 1

Copyright© 2013, Zimory GmbH 4

Providers should be able to offer high-quality security standards in order to limit liability,

“minimizing vulnerabilities and using effective security controls”3 This is clearly one of the

main challenges of the Cloud Computing market due to its novelty and rapid evolution.

CLOUD SECURITY BEST PRACTICES

Ideally, in order to keep Cloud Computing Services balanced and in continuous evolution,

there are certain aspects to be considered even as a best practices check-list1:

1. Customers must be aware of risks when adopting Cloud services.

2. Customers should compare different Cloud provider offerings in order to

make an informed decision.

3. Cloud providers should provide customers with as much assurance as possible.

4. Not all the assurance burden should fall on Cloud providers.

5. Awareness of regulations of the country where data is stored, where the

company is located and where the cloud service provider is located.

6. Awareness of who controls and regulates data. Customers using services of a

US company are exposed to the Patriot Act, for example.

7. Transparency as work principle and basis of the cloud computing

companies and customers.

8. Whenever possible, allow customers to test Cloud services. Testing procedures

will become a guarantee for Cloud Services.

All implicated players in the cloud computing contracts must be aware of the applicable

regulation to their businesses. It is of high importance for Cloud Service Vendors to

explain security issues to their customers before moving to the Cloud.

3 Gartner Inc. Securing and Managing Enterprise Cloud. John Pescatore. May 2012

SECURTY IN THE CLOUD – PART 1

Copyright© 2013, Zimory GmbH 5

BENEFITS OF CLOUD SECURITY

As stated in ENISA’s Cloud Computing Security Assessment1, security in the Cloud can

also imply multiple benefits for all parties involved:

1. Security as a differentiator: Cloud services meeting high security standards can

be a stand-out point in a very competitive market.

2. The larger scale, the cheaper the implemented security measures.

3. Efficient and effective scaling of resources: An intrinsic quality of Cloud services

is the ability to dynamically reallocate resources for multiple purposes, which has

many advantages for resilience.

4. Audits and gathering consumption information: Zimory Cloud Suite offers a pay-

per-use policy and the possibility of exporting resource consumption reports. All

of which leads to more effective resource and cost management.

5. Advantages of Resource concentration: This is generally seen as a risk for Cloud

Computing. It can also facilitate, however, the application of many security-

related measures.

SECURITY IMPLICATIONS IN THE ZIMORY CLOUD SUITE

The Zimory Cloud suite can be taken as an example of testing the performance of Cloud

management services.

To be more concrete, Zimory manages for one of its customers, public cloud services for

large companies. High security standards are especially required for these security

environments where virtual private clouds are working inside public clouds. A clear

challenge for security issues on software management for public cloud services offered

inside the high security networks of telecommunication companies. When providing these

solutions, the Zimory Cloud Suite successfully proves to be capable of meeting all

security requirements of a carrier grade IaaS management software.

Furthermore, Zimory's multi-layered security approach provides clear and concrete

answers regarding security issues. This approach is based on a compensation method,

which implies that in case one security layer is compromised, other layers will back-up the

security system integrity. This back-up procedure will maintain the system stable and

secure, avoiding complete shutdown.

SECURITY STANDARDS AND TESTING PROCEDURES: THE ZIMORY CLOUD SUITE CASE

SECURTY IN THE CLOUD – PART 1

Copyright© 2013, Zimory GmbH 6

Testing procedures are thus of key importance to support and provide security standards

to the performance of Cloud services. Therefore, Zimory welcomed one of their

customers to perform penetration tests on the Zimory Cloud Suite, based on well-defined

security standards.

Penetration tests or pentests are defined by Search Software Quality as “the practice of

testing a computer system, network or Web application to find vulnerabilities that an

attacker could exploit”4. These tests simulate both internal and external attacks, including

four main steps:

Step 1: Preparing the Test. During this step, an access methodology to the tested

system is created. Some of the tasks performed during this step are:

Defining the system to be tested: In this case, zimory®manage was the tested

component, since it allows direct interaction with an end and external user.

Determining visibility of the system and the company: Identifying existing limits of

the Information availability.

Setting test depth and aggressiveness.

Determining methodology to approach problems, such as software damages,

information leaks, etc.

Step 2: Gathering Information. This step identifies for example, elements that need to

be “less visible”. Other tasks of this step include:

Providing documentation.

Surveying the development process.

Examining the I-modules, which constitute the “test steps that serve for pure

provision of information”.

Step 3: Evaluation of Gathered Information. Analysis of the information gathered

during the previous step, including:

Identifying critical areas.

Identifying achievable goals.

Selecting and examining e-modules, or the “active penetration attempts”4

Describing test cases.

Step 4: Execution Phase or Active Intrusion.

Applying the testing procedures described above, penetration tests were performed on

the Zimory Cloud Suite on April 2011 and included both on-site and remote tests.

4 Gershater, Jonathan and Mehta, Puneet. Pen Test (Penetration Testing). Search Software Quality, 2011.

Retrieved from: http://searchsoftwarequality.techtarget.com/definition/penetration-testing

SECURTY IN THE CLOUD – PART 1

Copyright© 2013, Zimory GmbH 7

After pentest implementation, Zimory software presented no abnormalities regarding

essential test parameters such as:

Verification of Security laws.

Failure causes.

Command, XPath and SQL injections: Techniques used to attack software.

XML poisoning.

XDoS attacks: XML denial of service.

Most of the problems, which were minor issues, detected during the penetration testing

procedure and regarding for example, cross-site scripting issues, have been already

solved ever since.

Cloud vendors allowing customers and Service Providers to perform test procedures with

high standards could be nearly considered as a breakthrough in the Cloud Computing

world. Lack of standard testing procedures, especially with regards to security issues, has

been identified as one of the main customer concerns when moving to the Cloud and one

of the reasons for the slow take-off of the Cloud Computing market5.

Moreover, testing software with such high standard procedures and without having any

major issues detected is a clear indicator of carrier grade software meeting high quality

standards.

CONCLUSION

It is of key importance for customers to be aware and well informed with regards to

security implications from the moment they decide to move to the Cloud. Providers, on

the other hand, should be able to offer high-quality security standards in order to limit

liability, “minimizing vulnerabilities and using effective security controls”3. Security in the

Cloud is a matter concerning all actors involved, who must actively contribute to build

confidence in the Cloud.

Cloud security measures are not at all isolated from the conventional IT security

measures. Customers and Cloud service users need to analyze and beware of security

conditions before actually deciding to move to the Cloud.

Finally, the Zimory Cloud Suite can be considered an example of carrier grade IaaS

management software, meeting high quality and security standards. As described in this

paper, Zimory is open and secure enough to submit its product to rigorous tests regarding

security parameters of the product. All of this confirms product guarantees regarding data

protection, scalability, flexibility, hardening of virtual machines and hypervisors, etc.

Our Cloud Suite is without a doubt, a secure option for managing Cloud services.

5 For more information, see “Cloud Computing Market: Understanding its Slow Take-Off in Europe”. Zimory,

2012

SECURTY IN THE CLOUD – PART 1

Copyright© 2013, Zimory GmbH 8

CONTACT INFORMATION

Zimory GmbH

Alexanderstrasse 3,

10178 Berlin

Germany

Email: info@zimory.com

Tel: +49 (0)30 609 85 07-0

For the latest information, please visit www.zimory.com

The information contained in this document represents the current view of Zimory GmbH

on the issues discussed as of the date of publication. Because Zimory must respond to

changing market conditions, this document should not be interpreted to be a commitment

on the part of Zimory, and Zimory cannot guarantee the accuracy of any information

presented after the date of publication. The information represents the product at the time

this document was published and should be used for planning purposes only. Information

is subject to change at any time without prior notice.

This document is for informational purposes only.

ZIMORY MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2009 Zimory GmbH. All rights reserved. Zimory is a registered trademark of Zimory

GmbH in Germany. All other trademarks are the property of their respective owners.