(PDF) Yury Chemerkin Ita 2013 Proceedings

8/13/2019 (PDF) Yury Chemerkin Ita 2013 Proceedings

1/19

PickingCunningham

HouldenOramGrout

Mayers

Proceedingsof theFifth

InternationalConferenceon Internet

Technologiesand Applications

(ITA 13)

Proceedings of the

Fifth InternationalConference on InternetTechnologies and Applications (ITA 13)

Editors:Rich Picking, Stuart Cunningham, Nigel Houlden,Denise Oram, Vic Grout, & Julie MayersCo-editors:Nathan Clarke, Carlos Guerrero,Raed A Abd-Alhameed, & Susan LiggettGlyndr University, Wrexham, North Wales, UK 10-13 September 2013

9 780946 881819

SBN 978-0-946881-81-9


2/19

i

P ROCEEDINGS OF THE F IFTHINTERNATIONAL C ONFERENCEON INTERNET T ECHNOLOGIESAND APPLICATIONS (ITA 13)

Tuesday 10 th Friday 13 th September 2013Glyndr University, Wrexham, Wales, UK

http://www.ita13.org

EditorsRich Picking, Stuart Cunningham,Nigel Houlden, Denise Oram, Vic Grout,

Julie Mayers

Co-editorsNathan Clarke, Carlos Guerrero,

Raed A Abd-Alhameed, Susan Liggett

Hosted byCreative and Applied Research for the Digital

Society (C.A.R.D.S.)Glyndr University, Plas Coch Campus, Mold Road, Wrexham,

LL11 2AW, UK
http://www.ita13.org/http://www.ita13.org/


3/19

iii

ISBN: 978-0-946881-81-9

www.cards-uk.org

Glyndr University, 2013 All rights reservedPrinted in the United Kingdom

No part of this book may be reproduced, stored in a retrieval system, or transmitted inany form or by any means electronic, mechanical, photocopy, recording or otherwise,- without the prior written permission of the publisher or distributor.


4/19

v

F OREWORD

Croeso i Ogledd Cymru. Croeso i Wrecsam!

Welcome to North Wales. Welcome to Wrexham!

These are the proceedings of the Fifth International Conference on InternetTechnologies and Applications (ITA 13), hosted by the University Centre for Creativeand Applied Research for the Digital Society (C.A.R .D.S.) at Glyndr University,Wrexham, North Wales, UK from Tuesday 10 th to Friday 13 th September 2013. Theconference has been sponsored by the British Computer Society (BCS) Chester and

North Wales Branch, the British Computer Society (BCS) Health in Wales Group, theEuropean Union 7 th Framework Programme (Project Geryon), the UK National HealthService (NHS) Wales Informatics Service (NWIS), ENIAC (Project Artemos), TheApplied Computational Electromagnetics Society (ACES) and Modibbo Adama

University of Technology, Yola (MAUTECH). We thank them all for their support.


5/19

131

SECURITY C OMPLIANCE C HALLENGES ON C LOUDS

Yury Chemerkin

Independent Security Researcher / PhD in progressRussian State University for the Humanities (RSUH)

Moscow, [email protected]

A BSTRACT

Today cloud vendors provide amount features of integration and optimization in many fields like businessor education; there many way to adopt it for medical purposes, maintaining medical records, ormonitoring patients. Not all cloud solutions totally changed an original security paradigm and customers

still need to manage the accessibility, monitoring and auditing. An appropriate security level has becomevery important issue for the customers. The compliance is part of security and a cornerstone when cloudvendors refer to worldwide standards.

K EYWORDS :

Cloud security, compliance, amazon web services, aws, csa cloud controls matrix, csa, cmm, caiq, csaconsensus assessments initiative questionnaire

1. INTRODUCTION Cloud Computing has been one of the top security topics for the last several years. The cloudsincreasing popularity [1] is based on flexibility of virtualization as a technology for replacingand improving of complex parts of systems reducing unnecessary computation and usage ofexisting resources. Besides the well-known threats, the clouds introduce new security andmanagement level. Cloud security vendors (not only cloud vendors, almost of all kind ofvendors) claim that the end-user companies prefer a cost reduction instead the security to reducethe operation complexity of their clouds (or systems) that eventually ends with a lower amountof security that the end-user will accept. Some security questions about clouds are: how is itimplemented, how are the data or communication channels secured, how are the cloud andapplication environments secure, etc. For example, the well- known phrase physical securitydoes not exist in clouds make no serious sense because it was this way as it had been when thehosting service arrived. Customer must make any improvements than by-default configurationwith each new technology. If the virtual OS is a Windows Server, then the OS has the quitesimilar security and patch management state as Desktop/Server OS. In addition, it is mere trustthan downloading and buying third-party solutions and it might be more trustable, than cloudvendor (they are all third-party solutions).The cloud simply uses well-known protocols likeSMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity.The methods that are compliant as a part of the RFC should indicate that they are OK. However,a key problem is a lack of a systematic analysis on the security and privacy for such cloudservices. Third party organizations like the Cloud Security Alliance (CSA) promote theirrecommendations to improve a cloud security and have a registry of cloud vendors' securitycontrols to help the users to make a right choice on security field.

This research analyzes security aspects, which the customers rely, are basic for cloud andsecurity standards and represent a minimal set of security state at least. Enterprises need tocomply with of the different regulations and standards (PCI, CSA, HIPAA, ISO etc.). The aimof research is gaps in the recommendations of security standards (if they are) let cloud vendors


6/19

132

or their customers successfully pass the cloud audit checks and claim about compliance havingdifference security features between clouds capabilities. The guidelines in such documentsoperate at the high level that makes unclear them, miss the useful security countermeasures andadding a superfluity in the customers vision about the system (cloud).

2. R ELATED W ORK Nowadays, AWS is one of the most popular cloud platforms. It offers a virtual computing,storage, VPN, archiving, monitoring, health-watching, email and others services environmentfor a user to run applications, store data, operates with events and deliver event-data due thedifferent services and by different ways. AWS offers many services more accessibility that isimportant with merging to the cloud. GAE is one more cloud to run web applications writtenusing interpretation and scripts languages like Java/Python but it has limited features (securityand the rest). Windows Azure makes a data spreading to the cornerstone, via neither storage norweb-server. These different goals have a huge influence on the security while all of them were

built in accordance with best practices, and have security controls are well documented.

As we have enough security problems and the greater quantity of security solutions to solvethese problems on one hand and standards with best practices that successfully applied to theclouds (according to the cloud vendors) on another hand, it should be analyzed whether it is sodifficult to pass the cloud compliance audit in accordance with these documents. In this paper,the AWS services are going to be examined as the most similar to known existing technologies.The modern recommendations for clouds are quite similar to given in the Table I at least butimproved to the low details like you should choose the cloud vendor that offers an encryptionand definitely those w ho offer the strong encryption e.g. AES the make a little sense. Theanswer why is relied on the customers willingness to see an action -to-do like whether theyshould rely on this AES encryption or they need encrypt their data before uploading. Itsuccessfully works when the customers need to check clouds to choose those provide the moresecurity but it is bad for clouds are provided many services and security features because it is

basic rules only.

Table 1 The common security recommendations

Object What to doData Ownership Full rights and access to dataData Segmentation An isolation data from other customers data Data Encryption A data encryption in transit/memory/storage, at restBackup/Recovery An availability for recoveryData Destruction An Ability to securely destroy when no longer neededAccess Control Who has access to data?Log Management A data access that logged and monitored regularlyIncident Response Are there processes and notifications in place for incidents (including breaches)

that affect data?Security Controls An appropriate security and configuration control to data protectionPatch Management Patching for the latest vulnerabilities and exploits?

One more example is how such documents may substitute the customer understanding. NIST[25] talks about cloud limits on security: the ability to decide who and what is allowed toaccess subscriber data and programs the ability to monitor the status of a subscribers dataand programs may follow the idea no one cloud provides such abilities by mistakewithout a knowledge about cloud infrastructure. Another misthought is about cloud firewalltakes place with opinion that cloud features are useless due the following statement: a cloud


7/19

133

firewall should provide a centralized management, include pre-defined templates for commonenterprise server types and enable the following:

Source and Destination Addresses & Ports filteringCoverage of protocols, DoS prevention

An ability to design policies per network interfaceLocation checks who/where accessed to data

Besides such detailed how -to sets, there are enough statements that the clouds cant providewith it, so it is still a security hole, while some of them (ex. AWS) provides these features. TheTable II [7] shows a brief difference between AWS and Azure on compliance vs. documentedtechnologies to secure and protect data. As a part of non -transparency, it is quite interestingthat the different offered security features and controls have passed e.g. ISO 27xxxx, while thecloud difference (comparing each other) looks like a medium feature reduction. The cloudattributes examined [2] are backup, encryption, authentication, access controls, data isolationand monitoring, security standards, disaster recovery, client-side protection, etc. This paper

provides a medium-detailed comparison and presents the cloud security/privacy attributes

mapped to NIST guidelines. The [2-6], [26] give a brief examination of AWS S3 and GAE but asummary comparison over [10], [12], [14], [15] makes clear that AWS offers the most powerfuland flexible features and [7][8].

Table 2 Compliance difference between AWS and Azure

TypeCloud Vendor

AWS Azure

ComplianceISO 27001, CSA, HIPAA + +PCI DSS, FISMA, FIPS 140-2, NIST + N/A

Physical Security

Actions, events logging, logs audit + +Minimum access rights + +

Auto revocation access after N days, role changed,MFA, escort + N/A

Data PrivacyBackup, redundancy across the location + +Redundancy inside one geo location, encryption,DoD/NIST Destruction

+ N/A

Network Security

MITM Protection, Host-Based Firewall (ip,port,mac),Mandatory Firewall, Hypervisor protection from

promiscuous+ +

Pentesting offer of services + -Pentesting offer of apps + +DDoS Protection, featured firewall + N/A

Credentials Login and Passwords, SSL + +Cross account IAM, MFA hardware/software, KeyRotation

+ N/A

Such recommendations may also advise the different sanitizing technique to use on client ofcloud side. Effective and efficient sanitization is a forensics statement. There are a lot ofmethods and techniques but some of them rely on brute-force wiping that extremely useless forthe clouds due financial matters. The ERASERS proposed in [24] computes the entropy of eachdata block in the target area and wipes that block specified number of passes and pattern then.Patterns and entropy are valuable because the file types (docx, mp3, odf, pgp, acid*) have aquite different characteristics. It means that ERASERS has many subpopulations which of themapplied to certain cases. It gives a faster wiping vs. regular brute force methods of overwriting.As the disk sizes increase up to petabyte scale (recently AWS offer such storage), the brute


8/19


9/19

135

Security, HR - Human Resource Security, IS - Information Security, RS Resiliency, SA -Security Architecture. Requirements from section [LG Legal, OP Operation Management, RI Risk Management, RM Release Management] and other non-technical are removed as arecompliant in order to ISO 27xxx, SOC, COBIT by independent auditors and reviewers.

Table 3 AWS solutions against a CAIQ

CID Questions AWS ResponseCO-01.1 Any certifications, reports and other

relevant documentation in regards to thestandards

AWS has this one and provides it under NDA.

CO-02.1-7 An ability to provide the tenants the 3rd party audit reports, and conduct thenetwork/application cloud penetration testsas well as internal/external audits regularly(in regards to the guidance) with results

AWS engages with independent auditorsreviewing their services and provides thecustomers with the relevant 3rd partycompliance/attestations/certifications reportsunder NDA. Such audit covers regularly scans

of their (non-customer) services forvulnerabilities [22-23] the customers are alsoavailable to make pentest [21] of their owninstances due the tentative agreement.

CO-03.1-2 An ability to perform the vulnerabilitytests for customers (means their own tests)on applications and networks.

Customers are able to perform it due the permission (writing email with the instancesIDs and period) request via AWSVulnerability/Penetration Testing RequestForm [21]

CO-05.1-2 An ability to logically split the tenants datainto the segments (additionally, due theencryption) as well as data recovering forspecific customers in case of failure ordata loss

All data stored by the customers has canonicalisolation by path and additional securitycapabilities like the permissions, personalentry points to access the data as well asMFA. AWS encryption mechanisms areavailable for S3 (Server Side Encryption),EBS (encryption storage for EC2 AMIs),SimpleDB, EC2 (due the EBS plus SSL), VPC(encrypted connections and sessions).Additionally, the customer can use any cloudservices offered a backup from and to AWSservices like SME Storage for cloud vendorsor Veeam Backup Cloud Edition for VMs

DG-01.1 An implementation of structured data-

labeling standard

Depends on the customers needs and their

requirements.DG-02.1-5 An identifying ability of the VM via policy

tags/metadata to perform any qualitycontrol/restrict actions like identifyinghardware via policy & tags/metadata,using the geolocation as an authentication,

providing a physical geolocation, allowingto choose suitable geolocations forresources and data routing

The tenants are featured to apply any metadataand tagging to the EC2 VMs to set the user-friendly names and enhance searchability.AWS offer several regions [19]. Each of themis covered by geo location policy and accessas well as is able to be restricted by SSL, IPaddress and a time of day. They offer movedata between each other directly by thecustomers via API/SDK

DG-03.1 Any policies and mechanisms for labeling,

handling and security of data

As the customers retain ownership, they are

responsible to implement it.


10/19


11/19

137

explicitly not allowed that also built by AWS.The rest is similar to the IS-07.1-2 in regardsAWS staff

IS-12.1-2 A participation in the security groups with

benchmarking the controls againststandards

AWS policies is based on COBIT, ISO

27001/27002 and PCI DSS

IS-13.1 A documentation clarifying the difference between administrative responsibilities vs.those of the tenant

AWS provides these roles among the generalsecurity documents (it means not among thespecific services documents)

IS-17.1-3 Any policies to address the conflicts ofinterests on SLA, tamper audit, softwareintegrity, and detect changes of VMconfigurations

AWS provides the details SOC 1 Type IIreport in compliance with ISO 27001 (domain8.2, 11.3) that validated by independentsauditors

IS-18.1-2IS-19.1-4

Ability to create and manage uniqueencryption keys per a tenant, to encryptdata to an identity without access to a

public key certificate (identity basedencryption) as well, to protect a tenant datadue the transmission, VMs, DB and otherdata via encryption, and maintain keymanagement

If keys created on server side, AWS createsthe unique keys and utilizes it, if it did onclient side due the own or 3rd party solutions,the customers can manage it only. AWSencryption mechanisms are available for S3(Server Side Encryption), EBS (encryptionstorage for EC2 AMIs), SimpleDB, EC2 (duethe EBS plus SSL), VPC (encryptedconnections and sessions), etc.

IS-20.1-6 An ability to perform vulnerability scans inregards to the recommendations onapplication-layer, network-layer, local OSlayer and patching then. Providing the infoabout issues to AWS who makes it public

Similar to the CO-03.1-2 but more detail thatmeans the customers are should performingvuln scan and patching despite of the VMsOS are coming with the latest updates; theyare obliged to come to the agreement withAWS and not violate the Policy. Also similarto the CO-02.6-7 on providing the results [21-23]

IS-23.1-2IS-24.1-4

An ability of SIEM to merge data sources(app logs, firewall logs, IDS logs, physicalaccess logs, etc.) for granular analysis andalerting. Additional providing an isolationof the certain customers due incident.

AWS have this one in compliance with ISOand Even the customers data stored withstrong isolation from AWS side andrestrictions made by them all data should beencrypted on client side, because it leads to

participation with law directly as AWS doesnot get the keys in this case.

IS-28.1-2

IS-29.1

An ability to use an open encryption

(3DES, AES, etc.) to let tenants to protecttheir data on storage and transferring over

public networks. As well, an availability oflogging, monitoring and restriction anyaccess to the management systemscontrolled hypervisors, firewalls, APIs,etc.)

AWS encryption mechanisms are available for

S3 (Server Side Encryption), EBS (encryptionstorage for EC2 AMIs), SimpleDB, EC2 (duethe EBS plus SSL), VPC (encryptedconnections and sessions). Customers may usethird-party encryption technologies too as wellas rely on the AWS APIs are available viaSSL-protected endpoints. AWS has a loggingfeature, delineates the minimum standards forlogical access to AWS resources and providesdetails with SOC 1 Type II report

IS-34.1-3 An ability to monitor and segment/restrict

the key utilities managed virtualized

AWS has this one and provides details with

SOC 1 Type II report. AWS examines such


12/19

138

partitions (ex. shutdown, clone, etc.) aswell as ability to detect attacks (blue pill,etc.) to the virtual key components and

prevent from them

attacks and provides information if they applyin section Security Bulletins [35]. Anexample of blackbox attack [27],[28] wasgiven in the Section II of this paper with a

native security features as a solutionSA-02.1-7 A capability to use the SSO, an identitymanagement system, MFA PolicyEnforcement Point capability (ex.XACML), to delegate authenticationcapabilities, to support identity federationstandards (SAML, SPML, WS-Federation,etc.), use 3rd party identity assuranceservices

AWS IAM [15-18] provides the securelyaccess and roles to the resources with featuresto control access, create unique entry points ofusers, cross AWS-accounts access dueAPI/SDK or IAM console, create the

permissions with duration and geo auth. AWSoffers identity federation and VPC tunnels toutilize existing corporate identities to access.Additionally, customers may avoid themistakes and risks by using AWS PolicyGenerator and MFA devices [20].

SA-03.1SA-04.1-3SA-05.1

Any industry standards as a backgroundfor a Data Security Architecture standards(NIST) to build-in security for SDLC,tools detecting the security defects andverify the software. An availability of I/Ointegrity routines for applicationinterfaces, DB to prevent errors and datacorruption

AWS Security based upon the best practicesand standards (ISO 27001/27002, CoBIT, PCIDSS) that certified by independent auditors to

build threat modeling and completion of a riskassessment as a part of SDLC. AWSimplements this one through all phasesincluding transmission, storage and processingdata in compliance to ISO 27001 (domain12.2) that certified by independent auditors.

SA-06.1-2SA-08.1

Environment separation forSaaS/PaaS/IaaS, providing how-to-docs

AWS provides a lot of how-to-docs, binary &sources [10-18],[28-29]

SA-07.1 A MFA features are strong requirement forall remote access

MFA is not strong and depends on thecustomer configuration [20]

SA-09.1-4SA-10.1-3SA-11.1

A segmentation of system and networkenvironments with a compliance, law,

protection, and regulatory as well as a protection of a network environment parameter

An internal segmentation is in alignment withISO and similar to the CO-05.1-2 whileexternal is a part of the customerresponsibility. Internally, a traffic restriction isunder deny/allow control by default.Externally, customers may use SSL,encryption key, encryption solutions, security

policies to explicitly approve the securitysettings

SA-12.1 A NTP or other similar services AWS services rely on the internal systemclocks synchronized via NTP

SA-13.1 An equipment identification is as a methodto validate connection authenticationintegrity based on known location

AWS provides such ability, for example duethe AWS metadata, geo tags and other tagscreated by the customers

SA-15.1-2 A mobile code authorization before itsinstallation, prevention from executing andusing to a clearly defined security policy

The customers are responsible to manage it tomeet their requirements.


13/19

139

Table 4 AWS solutions against a CCM

CID Control Specification AWS ResponseCO-01 Audit plans, activities and operational

action items focusing on data duplication,access, and data boundary limitations withaim to minimize the risk of business

process disruption.

AWS has appropriate technical solutions,internal controls to protect customer dataagainst alteration/destruction/loss/etc. Anykind of additional audit information is

provided to the customers under NDACO-02 Independent reviews shall be performed

annually/planned intervals to aim a higheffective compliance policies, standardsand regulations (i.e., internal/externalaudits, certifications, vulnerability and

penetration testing)

AWS shares 3rd audit reports under NDAwith their customers. Such audit coversregularly scans of their (non-customer)services for vulnerabilities [22-23] while thecustomers are allowed to request for a pentest[21] of their own instances

CO-03 3rd party service providers shalldemonstrate compliance with security due;their reports and services should undergoaudit and review.

AWS requires to meet important privacy andsecurity requirements conducting 3rd partiesin alignment ISO 27001 (domain 6.2)

CO-06 A policy to safeguard intellectual property AWS will not disclose customer data to a 3rd party unless it is required by law and will notuse data except to detect/repair problemsaffecting the services

DG-01 All data shall be designated withstewardship with assigned responsibilitiesdefined, documented and communicated.

Customers are responsible for maintaining itregarding their assets

DG-02 Data, and objects containing data, shall beassigned a classification based on data

type, jurisdiction of origin, jurisdictiondomiciled, etc.

AWS allows customers to classify theirresources by themselves (ex. applying any

metadata and tagging to the EC2 VMs to setthe user-friendly names & enhancesearchability)

DG-03 Policies/mechanisms for labeling, handlingand security of data and objects whichcontain data

Similar to DG-02

DG-04 Policies for data retention and storage aswell as implementation of backup orredundancy mechanisms to ensurecompliance with regulatory and otherrequirements that validated regularly

AWS infrastructure is validated regularly any purposes in alignment with security standardsand featured by AWS EBS and Glacier (fordata archiving and backup), but the customershave capability manage it due the API/SDK

DG-05 Policies and mechanisms for the securedisposal and complete removal of datafrom all storage media, ensuring data is notrecoverable by any computer forensicmeans.

AWS rely on best practices to wipe data viaDoD 5220.22-M/NIST 800-88 techniques; if itis not possible the physical destructionhappens

DG-06-07 Security mechanisms to prevent dataleakage.

AWS has implemented logical (permissions)and physical (segmentation) controls to

prevent data leakage. (ex. a hypervisor isdesigned to restrict non-allowed connections

between tenant resources, however the end-users are responsible to manage the right

sharing permissions


14/19

140

FS-06FS-07

Policies and procedures shall beestablished for securing and assetmanagement for the use and securedisposal of equipment maintained and used

outside the organization's premise.

AWS imposes control the customers tomanage the data locations. Data will not bemoved between different regions, only insidethat were chosen to prevent failure.

FS-08 A complete inventory of critical assetsshall be maintained with ownershipdefined and documented.

AWS maintains a formal policy that requiresassets, the hardware assets monitored by theAWS personnel and maintain the relationshipswith all AWS suppliers are possible in complyISO 27001 (domain 7.1) for additional details.

IS-01IS-02IS-03

An implementation of ISMP includedadministrative, technical, and physicalsafeguards to protect assets and data fromloss, misuse, unauthorized access,disclosure, alteration, and destruction

AWS implements ISMS to addresssecurity/privacy best practices and providesdetails under NDA the appropriatedocumentation

IS-04 An implementation of baseline securityrequirements for applications / DB /systems / network in compliance with

policies / regulations/standards.

Baseline security requirements are technicallyimplemented with deny configuration bydefault and documents among the AWSsecurity documents for all services (ex. [10-18])

IS-05 An information security policy review at planned intervals

Despite of AWS provides a lot of how-to-docs, binary & sources [10-18], [28-29] areregularly updated, its better to subscribe tothe news via RSS and email, because there isno other directly way to be notified by AWS

IS-07-08 An implementation of user access policiesand for granting/revoking access to apps toapps, DB, and the rest in accordance withsecurity, compliance and SLA.

All AWS services featured by IAM that provides powerful permissions items with predefined templates;

IS-18IS-19

Implemented policies / mechanismsallowing data encryption in storage (e.g.,file servers, databases, and end-userworkstations) and data in transmission(e.g., system interfaces, over publicnetworks, and electronic messaging) aswell, key management too

If keys created on server side, AWS createsthe unique keys and utilizes it, if it did onclient side due the own or 3rd party solutions,the customers can manage it only. AWSencryption mechanisms are available for S3(Server Side Encryption), EBS (encryptionstorage for EC2 AMIs), SimpleDB, EC2 (duethe EBS plus SSL), VPC (encryptedconnections and sessions), etc.

IS-20 Implemented policies and mechanisms forvulnerability and patch management onside of apps, system, and network devices

AWS provides their services with the latestupdates, performs analyzing software updateson their criticality as well as customer

partially ability to perform vuln scans and patching despite of that and not violate thePolicy [21-23]

IS-21 A capability of AV solutions to detect,remove, and protect against all knowntypes of malicious or unauthorizedsoftware with antivirus signature updatesat least every 12 hours.

AWS does manage AV solutions & updates incompliance to ISO 27001 that confirmed byindependent auditors. Additionally, customersshould maintain their own solutions to meettheir requirements

IS-22 Policies and procedures to triage security AWS has defined role responsibilities and


15/19

141

related events and ensure timely andthorough incident management.

incident handling in internal documents incompliance with ISO and provides the SOC 1Type Report

IS-23

IS-24

Information security events shall be

reported through predefinedcommunications channels in a prompt andexpedient manner in compliance withstatutory, regulatory and contractualrequirements

AWS contributes with it over [21-23]

IS-26 Policies and procedures shall beestablished for the acceptable use ofinformation assets.

According to AWS, the customers manageand control their data only unless it needs duethe law requirements or troubleshooting aimedat fix services issues

IS-32IS-33

Policies and mechanism to limit access tosensitive data (especially an application,

program or object source code) from portable and mobile devices

AWS has this one, delineates the minimumrights for logical access to AWS resources and

provides details with SOC 1 Type II report

RS-01-08 Documented policy and proceduresdefining continuity and disaster recoveryshall be put in place to minimize theimpact of a realized risk event on theorganization to an acceptable level andfacilitate recovery of information assetsthrough a combination of preventive andrecovery controls, in accordance withregulations and standards. Physical

protection against damage from naturalcauses and disasters as well as deliberateattacks including fire, flood, etc. shall beimplemented.

Such policies are in alignment with ISO 27001( domain 14.1);AWS provides a Cloudwatch services tomonitor the state of AWS EC2, EBS, ELB,SQS, SNS, DynamoDB, Storage Gateways aswell as a status history [19]. AWS providesseveral Availability Zones in each of sixregions to prevent failures, but the customersare responsible to manage it across regions orother clouds vendors via API and SDK. A

physical protection is in compliance ISO27001 and 27002. Information about thetransport routes is similar to the FS-06.1

SA-02 An implementation of user credential and password controls for apps, DB, server andnetwork infrastructure, requiring thefollowing minimum standards

AWS IAM [15-18] provides the securelyaccess and roles to the resources with featuresto control access, create unique entry points ofusers, cross AWS-accounts access dueAPI/SDK or IAM console, create the powerful

permissions with duration and geo auth. AWSoffers identity federation and VPC tunnels ledto utilizing existing corporate identities to

access, temporary security credentials.Additionally, the customers may avoid themistakes and risks by using an AWS PolicyGenerator and MFA devices [20]. IAM allowscreating and handling the sets defined inaccordance with the subrules of SA-02 (inoriginal of CMM).

SA-06SA-08

A segmentation of production and non- production environments to preventunauthorized access, restrict connections

between trusted & untrusted networks for

use of all services, protocols, ports allowed

AWS provides a lot of how-to-docs, binary &sources (as an example [10-18],[28-29])


16/19

142

SA-07 A requirement of MFA for all remote useraccess.

MFA is not by default and depends on thecustomer configuration [20]

SA-09SA-10

SA-11

A system and network environmentsseparation via firewalls in regards to

isolation of sensitive data, restrictunauthorized traffic, enhanced with strongencryption for authentication andtransmission, replacing vendor defaultsettings (e.g., encryption keys, passwords,SNMP community strings, etc.)

An internal segmentation is in alignment withISO and similar to the CO-05.1-2 while

external is a part of the customerresponsibility. Internally, a traffic restriction istoo and has deny/allow option in EC2/S3 bydefault (but the explicitly cfg isrecommended), etc. Externally, the customersare able to use SSL, encryption key,encryption solutions, security policies toexplicitly approve the security settings (AWS,3rd party or their own)

SA-12 An external accurate time to synchronizethe system clocks of all information-

processing systems (US GPS & EUGalileo Satellite)

AWS services rely on the internal systemclocks synchronized via NTP

SA-13 A capability of an automated equipmentidentification as a part of authentication.

AWS provides such ability, for example duethe metadata, geo tags and other tags created

by the customersSA-14 Audit logs recording privileged user access

activities, shall be retained, complyingwith applicable policies and regulations,reviewed at least daily and file integrity(host) and network intrusion detection(IDS) tools implemented to helpinvestigation in case of incidents.

AWS have this one in compliance with ISOand provides the results with SOC 1 Type IIReport. AWS has the incident response

program in compliance too. Even thecustomers data stored with strong isolationfrom AWS side and restrictions made bythem, additional materials (SOC 1 Type IIreport) must be requested to clarify allquestions on forensics. All data should beencrypted on client side, because it leads tothe customers participation with law directlyas AWS do not have the keys in this case.

SA-15 A mobile code authorization before itsinstallation, prevention from executing andusing to a clearly defined security policy

The customers are responsible to manage it tomeet their requirements.

4. C ONCLUSION

Any complex solutions and systems like AWS, Azure, or GAE tend to prone to securitycompromise, because they have to operate large-scale computations, dynamic configuration.Clouds vendors do usually not disclose the technical details on security to the customers, thusraising question how to verify with appropriate requirements. The cloud security depends onwhether the cloud vendors have implemented security controls that documented and enhancedwith policy. However, there is a lack visibility into how clouds operate; each of them differsfrom other in levels of control, monitoring and securing mechanisms that widely known fornon-cloud systems. The potential vulnerability requires a high degree of security combined withtransparency and compliance. AWS relies on security frameworks based on various standardsthat certified by auditors and help customers to evaluate if/how AWS meets the requirements.CAIQ/CCM provide equivalent of them over several standards. Partially bad idea is publicdocuments filled by vendors with general explanations referred to NDA reports multiplied bycommon recommendations.


17/19

143

Besides the details from 3 rd party audit reports customers may require assurance in order to locallaws and regulations. It is quite complicated of reducing the implementation and configurationinformation as a part of proprietary information ( that is not bad or good, just complicated ). Inother words it may call for specific levels of audit logging, activity reporting, securitycontrolling and data retention that are often not a part of SLA offered by providers. A result ofan examination of AWS security controls against security standards/regulations shown in [8]and partially in [7] is successfully passing standards by use of native security featuresimplemented in AWS Console, CLI and API/SDK only. It additionally includes cases that thecurrent AWS security features should to be enhanced via third party security solutions likenational encryption on client side before uploading data and ability to indirectly comply withrequirements. Talking about security enhance, not only security controls belong to cloud layer(outside the VMs) should be used to protect data, communications, memory etc. but alsointernal OS controls and 3 rd party solutions together. It excludes obsolescent clauses and cases just wait a solution from AWS of inability to build and implement appropriate. OS and third

party solutions are known for non-clouds system allow protecting critical and confidentialinformation is present in different system, configuration and other files to avoid alteration,

exposing, accessing of them.Examination cloud solutions such as Azure, BES with AWS & Azure, and Office365 withCloud BES against other standards is a part of further research, however the significationdirection is improving existing CSA and NIST recommendations in order to enhancetransparency via utilization primarily technical requirements: on cloud layer, on inter-VM/DB& inter-cloud-services layer, on VM/DB layer.

5. R EFERENCES [1] Mell P. & Grance T. (2011) The NIST definition of cloud computing. recommendation of the

national institute of standards and technology, NIST

[2] Abuhussein, H. Bedi, S. Shiva, (2012) Evaluating Security and Privacy in Cloud ComputingServices:A Stakeholders Perspective, The 7th International Conference for Internet Technologyand Secured Transactions , pp. 388 395, Dec 2012

[3] Feng, J., Chen, Y.& Liu, P. (2010) Bridging the Missing Link of Cloud Data Storage Security inAWS, 7 th Consumer Communications and networking Conference (CCNC), pp.1-2, Jan 2010

[4] Hu, Y., Lu F., Khan, I. & Bai, G. (2012) "A Cloud Computing Solution for Sharing HealthcareInformation , The 7th International Conference for Internet Technology and SecuredTransactions , pp. 465 470, Dec 2012

[5] Google cloud services App Engine. [Online resource:www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]

[6] Technical Overview of the Security Features in the Windows Azure Platform. [Online resource:www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]

[7] Chemerkin, Y. (2012) AWS Cloud Security from the point of view of the Compliance , PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa , vol. 2 10 Issue 10/2012 (12)ISSN 2084-1116, pp. 50-59, Dec 2012

[8] Chemerkin, Y. Analysis of Cloud Security against the modern security standards , draft (is goingto be published in PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa inMay

[9] Kissel, R., Scholl, M., Skolochenko, S. & Li, X. (2006) Guidelines for media sanitization:Recommendations of the national institute of standards and technology , in NIST SP 800 -88Report

[10] Amazon EC2 Microsoft API Reference. [Online resource:docs.aws.amazon.com/AWSEC2/latest/APIReference/, Accessed:05-Dec-12]


18/19

144

[11] AWS Import/Export Developer Guide. [Online resource:aws.amazon.com/documentation/importexport/, Accessed:16-Dec-12]

[12] Amazon Virtual Private Cloud Network Administrator Guide. [Onlineresource:docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide, Accessed:05-Dec-12]

[13] Reported SSL Certificate Validation Errors in API Tools and SDKs, [Online resource :aws.amazon.com/security/security-bulletins/reported-ssl-certificate-validation-errors-in-api-tools-and-sdks/, Accessed:15-Jan-13]

[14] Amazon S3 API Reference. [Online resource: docs.aws.amazon.com/AmazonS3/latest/API/,Accessed:20-Dec-12]

[15] Amazon IAM API Refere nce. [Online resource:docs.aws.amazon.com/IAM/latest/APIReference/, Accessed:29-Dec-12]

[16] Amazon Using Temporary Security Credentials. [Online resource:docs.aws.amazon.com/IAM/latest/UsingSTS/, Accessed:29-Dec-12]

[17] Amazon AWS Security Token Service API R eference. [Online resource:docs.aws.amazon.com/STS/latest/APIReference/, Accessed:29-Dec-12]

[18] Amazon Command Line Reference. [Online resource:docs.aws.amazon.com/IAM/latest/CLIReference/, Accessed:29-Dec-12]

[19] AWS Services Health Status [Online resource: status.aws.amazon.com/, Accessed:16-Feb-13]

[20] AWS MFA [Online resource: aws.amazon.com/mfa, Accessed:16-Feb-13]

[21] AWS Vulnerability/Pentesting Request Form [Online resource: portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSSecurityPenTestRequest,Accessed:16-Feb-13]

[22] AWS Abuses reports (EC2, other AWS services) [Online resource: portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse, Accessed:16-Feb-13]

[23] AWS Vulnerability Reporting [Online resource: aws.amazon.com/security/vulnerability-reporting/, Accessed:16-Feb-13]

[24] Medsger, J. & Srinivasan, A. (2012) "ERASE- EntRopy-based SAnitization of SEnsitive Data forPrivacy Preservation", The 7th International Conference for Internet Technology and SecuredTransactions, pp. 427 432, Dec 2012

[25] DRAFT Cloud Computing Synopsis and Recommendations, NIST Special Publication 800 -146.[Online resource: csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf,Accessed:06-Jan-13]

[26] Security Whitepaper. Google Apps Messaging and Collaboration Products , [Online resource:cryptome.org/2012/12/google-cloud-sec.pdf, Accessed:23-Nov-13]

[27]

Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N. & Iacono, L.L. (2011) "AllYour Clouds are Belong to us Security Analysis of Cloud Management Interfaces", 3rd ACMworkshop on Cloud computing security workshop (CCSW), pp.3-14, Oct 2011

[28] Reported SOAP Request Parsing Vulnerabilities , [Online resource:aws.amazon.com/security/security-bulletins/reported-soap-request-parsing-vulnerabilities-reso/,Accessed:15-Jan-13]

[29] Xen Security Advisories , [Online resource: aws.amazon.com/security/security-bulletins/xen-security-advisories/, Accessed:15-Jan-13]

[30] The Essential Intelligent Client , [Online resource:www.vmworld.com/servlet/JiveServlet/downloadBody/5700-102-1-8823/Intel%20The%20Essential%20Intelligent%20Client.pdf, Accessed:15-Jan-13]


19/19

145

[31] Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR [Online resource:news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html/, Accessed:22-Nov-13]

[32] The most dangerous code in the world: validating SSL certificates in non -browser software , 19 th ACM Conference on Computer and Communications Security, pp. 38-49, Oct 2012

[33] CSA Consensus Assessments Initiative Questionnaire v1.1 [Online resource:cloudsecurityalliance.org/research/cai/, Accessed:22-Dec-12]

[34] CSA Cloud Controls Matrix v1.3 [Online resource: cloudsecurityalliance.org/research/cai/,Accessed:22-Jan-13]

[35] AWS Securtiy Bulletins [Online resource: aws.amazon.com/security/security-bulletins/,Accessed 16-Feb-13]

(PDF) Yury Chemerkin Ita 2013 Proceedings

Documents

Transcript of (PDF) Yury Chemerkin Ita 2013 Proceedings