PickingCunningham

HouldenOramGrout

Mayers

Proceedings of theFifth

International Conference on Internet

Technologies and Applications

(ITA 13)

Proceedings of the

Fifth International Conference on Internet Technologies and Applications (ITA 13)

Editors:Rich Picking, Stuart Cunningham, Nigel Houlden, Denise Oram, Vic Grout, & Julie MayersCo-editors:Nathan Clarke, Carlos Guerrero, Raed A Abd-Alhameed, & Susan LiggettGlyndŵr University, Wrexham, North Wales, UK10-13 September 2013

9 780946 881819

ISBN 978-0-946881-81-9

i

PROCEEDINGS OF THE FIFTH

INTERNATIONAL CONFERENCE

ON INTERNET TECHNOLOGIES

AND APPLICATIONS (ITA 13)

Tuesday 10th

– Friday 13th

September 2013

Glyndŵr University, Wrexham, Wales, UK

http://www.ita13.org

Editors

Rich Picking, Stuart Cunningham, Nigel Houlden, Denise Oram, Vic Grout,

Julie Mayers

Co-editors

Nathan Clarke, Carlos Guerrero, Raed A Abd-Alhameed, Susan Liggett

Hosted by

Creative and Applied Research for the Digital

Society (C.A.R.D.S.) Glyndŵr University, Plas Coch Campus, Mold Road, Wrexham,

LL11 2AW, UK

iii

ISBN: 978-0-946881-81-9

www.cards-uk.org

© Glyndŵr University, 2013

All rights reserved

Printed in the United Kingdom

No part of this book may be reproduced, stored in a retrieval system, or transmitted in

any form or by any means – electronic, mechanical, photocopy, recording or otherwise,

- without the prior written permission of the publisher or distributor.

v

FOREWORD

Croeso i Ogledd Cymru. Croeso i Wrecsam!

Welcome to North Wales. Welcome to Wrexham!

These are the proceedings of the Fifth International Conference on Internet

Technologies and Applications (ITA 13), hosted by the University Centre for Creative

and Applied Research for the Digital Society (C.A.R.D.S.) at Glyndŵr University,

Wrexham, North Wales, UK from Tuesday 10th

to Friday 13th

September 2013. The

conference has been sponsored by the British Computer Society (BCS) Chester and

North Wales Branch, the British Computer Society (BCS) Health in Wales Group, the

European Union 7th

Framework Programme (Project Geryon), the UK National Health

Service (NHS) Wales Informatics Service (NWIS), ENIAC (Project Artemos), The

Applied Computational Electromagnetics Society (ACES) and Modibbo Adama

University of Technology, Yola (MAUTECH). We thank them all for their support.

131

SECURITY COMPLIANCE CHALLENGES ON CLOUDS

Yury Chemerkin

Independent Security Researcher / PhD in progress

Russian State University for the Humanities (RSUH)

Moscow, Russia yury.chemerkin@gmail.com

ABSTRACT

Today cloud vendors provide amount features of integration and optimization in many fields like business

or education; there many way to adopt it for medical purposes, maintaining medical records, or

monitoring patients. Not all cloud solutions totally changed an original security paradigm and customers

still need to manage the accessibility, monitoring and auditing. An appropriate security level has become

very important issue for the customers. The compliance is part of security and a cornerstone when cloud

vendors refer to worldwide standards.

KEYWORDS:

Cloud security, compliance, amazon web services, aws, csa cloud controls matrix, csa, cmm, caiq, csa

consensus assessments initiative questionnaire

1. INTRODUCTION

Cloud Computing has been one of the top security topics for the last several years. The clouds

increasing popularity [1] is based on flexibility of virtualization as a technology for replacing

and improving of complex parts of systems reducing unnecessary computation and usage of

existing resources. Besides the well-known threats, the clouds introduce new security and

management level. Cloud security vendors (not only cloud vendors, almost of all kind of

vendors) claim that the end-user companies prefer a cost reduction instead the security to reduce

the operation complexity of their clouds (or systems) that eventually ends with a lower amount

of security that the end-user will accept. Some security questions about clouds are: how is it

implemented, how are the data or communication channels secured, how are the cloud and

application environments secure, etc. For example, the well-known phrase “physical security

does not exist in clouds” make no serious sense because it was this way as it had been when the

hosting service arrived. Customer must make any improvements than by-default configuration

with each new technology. If the virtual OS is a Windows Server, then the OS has the quite

similar security and patch management state as Desktop/Server OS. In addition, it is mere trust

than downloading and buying third-party solutions and it might be more trustable, than cloud

vendor (they are all third-party solutions).The cloud simply uses well-known protocols like

SMTP, HTTP, SSL, TCP/IP etc. to communicate, send email, file handling and other activity.

The methods that are compliant as a part of the RFC should indicate that they are OK. However,

a key problem is a lack of a systematic analysis on the security and privacy for such cloud

services. Third party organizations like the Cloud Security Alliance (CSA) promote their

recommendations to improve a cloud security and have a registry of cloud vendors' security

controls to help the users to make a right choice on security field.

This research analyzes security aspects, which the customers rely, are basic for cloud and

security standards and represent a minimal set of security state at least. Enterprises need to

comply with of the different regulations and standards (PCI, CSA, HIPAA, ISO etc.). The aim

of research is gaps in the recommendations of security standards (if they are) let cloud vendors

132

or their customers successfully pass the cloud audit checks and claim about compliance having

difference security features between clouds capabilities. The guidelines in such documents

operate at the high level that makes unclear them, miss the useful security countermeasures and

adding a superfluity in the customer’s vision about the system (cloud).

2. RELATED WORK

Nowadays, AWS is one of the most popular cloud platforms. It offers a virtual computing,

storage, VPN, archiving, monitoring, health-watching, email and others services environment

for a user to run applications, store data, operates with events and deliver event-data due the

different services and by different ways. AWS offers many services more accessibility that is

important with merging to the cloud. GAE is one more cloud to run web applications written

using interpretation and scripts languages like Java/Python but it has limited features (security

and the rest). Windows Azure makes a data spreading to the cornerstone, via neither storage nor

web-server. These different goals have a huge influence on the security while all of them were

built in accordance with best practices, and have security controls are well documented.

As we have enough security problems and the greater quantity of security solutions to solve

these problems on one hand and standards with best practices that successfully applied to the

clouds (according to the cloud vendors) on another hand, it should be analyzed whether it is so

difficult to pass the cloud compliance audit in accordance with these documents. In this paper,

the AWS services are going to be examined as the most similar to known existing technologies.

The modern recommendations for clouds are quite similar to given in the Table I at least but

improved to the low details like “you should choose the cloud vendor that offers an encryption

and definitely those who offer the strong encryption e.g. AES” the make a little sense. The

answer “why” is relied on the customers willingness to see an action-to-do like ‘whether they

should rely on this AES encryption or they need encrypt their data before uploading’. It

successfully works when the customers need to check clouds to choose those provide the more

security but it is bad for clouds are provided many services and security features because it is

basic rules only.

Table 1 The common security recommendations

Object What to do

Data Ownership Full rights and access to data

Data Segmentation An isolation data from other customers’ data

Data Encryption A data encryption in transit/memory/storage, at rest

Backup/Recovery An availability for recovery

Data Destruction An Ability to securely destroy when no longer needed

Access Control Who has access to data?

Log Management A data access that logged and monitored regularly

Incident Response Are there processes and notifications in place for incidents (including breaches)

that affect data?

Security Controls An appropriate security and configuration control to data protection

Patch Management Patching for the latest vulnerabilities and exploits?

One more example is how such documents may substitute the customer understanding. NIST

[25] talks about cloud limits on security: “the ability to decide who and what is allowed to

access subscriber data and programs … the ability to monitor the status of a subscriber’s data

and programs …” may follow the idea “no one cloud provides such abilities” by mistake

without a knowledge about cloud infrastructure. Another misthought is about cloud firewall

takes place with opinion that cloud features are useless due the following statement: a cloud

133

firewall should provide a centralized management, include pre-defined templates for common

enterprise server types and enable the following:

Source and Destination Addresses & Ports filtering

Coverage of protocols, DoS prevention

An ability to design policies per network interface

Location checks who/where accessed to data

Besides such detailed ‘how-to’ sets, there are enough statements that the clouds can’t provide

with it, so it is still a security hole, while some of them (ex. AWS) provides these features. The

Table II [7] shows a brief difference between AWS and Azure on compliance vs. documented

technologies to secure and protect data. As a part of ‘non-transparency’, it is quite interesting

that the different offered security features and controls have passed e.g. ISO 27xxxx, while the

cloud difference (comparing each other) looks like a medium feature reduction. The cloud

attributes examined [2] are backup, encryption, authentication, access controls, data isolation

and monitoring, security standards, disaster recovery, client-side protection, etc. This paper

provides a medium-detailed comparison and presents the cloud security/privacy attributes

mapped to NIST guidelines. The [2-6], [26] give a brief examination of AWS S3 and GAE but a

summary comparison over [10], [12], [14], [15] makes clear that AWS offers the most powerful

and flexible features and [7][8].

Table 2 Compliance difference between AWS and Azure

Type Cloud Vendor

AWS Azure

Compliance ISO 27001, CSA, HIPAA + +

PCI DSS, FISMA, FIPS 140-2, NIST + N/A

Physical Security

Actions, events logging, logs audit + +

Minimum access rights + +

Auto revocation access after N days, role changed,

MFA, escort + N/A

Data Privacy

Backup, redundancy across the location + +

Redundancy inside one geo location, encryption,

DoD/NIST Destruction + N/A

Network Security

MITM Protection, Host-Based Firewall (ip,port,mac),

Mandatory Firewall, Hypervisor protection from

promiscuous

+ +

Pentesting offer of services + -

Pentesting offer of apps + +

DDoS Protection, featured firewall + N/A

Credentials

Login and Passwords, SSL + +

Cross account IAM, MFA hardware/software, Key

Rotation + N/A

Such recommendations may also advise the different sanitizing technique to use on client of

cloud side. Effective and efficient sanitization is a forensics statement. There are a lot of

methods and techniques but some of them rely on brute-force wiping that extremely useless for

the clouds due financial matters. The ERASERS proposed in [24] computes the entropy of each

data block in the target area and wipes that block specified number of passes and pattern then.

Patterns and entropy are valuable because the file types (docx, mp3, odf, pgp, acid*) have a

quite different characteristics. It means that ERASERS has many subpopulations which of them

applied to certain cases. It gives a faster wiping vs. regular brute force methods of overwriting.

As the disk sizes increase up to petabyte scale (recently AWS offer such storage), the brute

134

force methods is becoming near impossible in time. Many drives contain areas do not have data

needing overwriting, as known as for SSD that shuffles data between data block every time, but

keeps the encrypted area untouched. According to NIST SP800-88 [9], “studies have shown that

most of data can be effectively cleared by one overwrite with random data rather than zeroing”.

The original version of DoD 5220.22-M (AWS implements this one) recommends a 3-pass wipe

with one pass of a uniform character, one pass of its complement, and one pass of random

characters, while the current DoD 5220.22-M does not specify the number of passes or the

pattern. As ERASERS shows the good results, it should be implemented to AWS EC2 or other

cloud VM.

The one of the most serious work on AWS security [27] gives results as a "black box" analysis

methodology in regards to the control interfaces (AWS EC2 and S3) compromised via the novel

signature wrapping and advanced XSS techniques, HTML injections, as well as SOAP issues

with validation and man-in-the-middle attacks. Authors examined the possible way of

protection and found that AWS EC2 & S3 services do not provide the suitable opportunities to

implement their solutions. Despite of that, there was found solutions based on native AWS

security features to protect against these attacks [28]:

Utilizing the SSL/HTTPS only with certificate validation and utilizing API access mechanisms like REST/Query instead of SOAP

Activating access via MFA and creating IAM accounts limited in access, AWS credentials rotation enhanced with Key pairs and X.509 certificates

Limiting IP access enhanced with API/SDK & IAM

The virtualization refers to a hypervisor, while a virtual machine works with a configured

snapshot of an OS image and requires well-known shared resources like memory, storage, or

network. It is generally agreed that even isolation these shared resources without affecting other

instances, VMs can be trusted in few cases only, while it is vulnerable under the most known

XEN attacks. However, no one XEN vulnerability has not applied to AWS services [29]that

brings to understanding the term “customize” in regards to clouds. Other ability to control due

the AMT commands [30] is applied to VMware but there is not known successful

implementations for AWS, Azure, GAE or other clouds. Also may have serious performance

problems such as overloading the virtual OS with analysing CPU commands and system calls,

regardless of where the trusted/untrusted control agents are, multiplied by known issues the best

of all demonstrated in case of GPU [31].

There are security virtualization issues even in clouds, no doubt, and it should be taken in

consideration. One exciting example [32] talks about an incorrect behavior in the SSL certificate

validation mechanisms of AWS SDK for EC2, ELB, and FPS. Despite of that, AWS has

updated all SDK (for all services) to redress it [13].

3. EXAMINATION THE CSA DOCUMENTS ON CLOUDS

The CSA documents provide vendors and their customers with a medium-detailed overview

what the statements do the cloud security features applied to as it defined in the Consensus

Assessments Initiative Questionnaire (CAIQ) and Cloud Control Matrix (CCM). The cloud

vendors announce that their services operate in according to them: However, the customers have

a responsibility to control their environment and define whether it is really in compliance. In

other words, how much are cloud controls and configurations transparent. Here the regulations

meet the technical equipment as a public technical proof is going to be examined from that point

at first. Each control ID (CID) will be kept to find it CAIQ [33] & CCM [34], while his

explanation is rewritten to reduced amount of text and grouped by domain/control group,

similar questions/metrics. Some considerations are used in tables III, IV: each abbreviation is

reduced name of Control Group ID: CO-Compliance, DG - Data Governance, FS-Facility

135

Security, HR - Human Resource Security, IS - Information Security, RS – Resiliency, SA -

Security Architecture. Requirements from section [LG–Legal, OP–Operation Management, RI–

Risk Management, RM–Release Management] and other non-technical are removed as are

compliant in order to ISO 27xxx, SOC, COBIT by independent auditors and reviewers.

Table 3 AWS solutions against a CAIQ

CID Questions AWS Response

CO-01.1 Any certifications, reports and other

relevant documentation in regards to the

standards

AWS has this one and provides it under NDA.

CO-02.1-7 An ability to provide the tenants the 3rd

party audit reports, and conduct the

network/application cloud penetration tests

as well as internal/external audits regularly

(in regards to the guidance) with results

AWS engages with independent auditors

reviewing their services and provides the

customers with the relevant 3rd party

compliance/attestations/certifications reports

under NDA. Such audit covers regularly scans

of their (non-customer) services for

vulnerabilities [22-23] the customers are also

available to make pentest [21] of their own

instances due the tentative agreement.

CO-03.1-2 An ability to perform the vulnerability

tests for customers (means their own tests)

on applications and networks.

Customers are able to perform it due the

permission (writing email with the instances

IDs and period) request via AWS

Vulnerability/Penetration Testing Request

Form [21]

CO-05.1-2 An ability to logically split the tenants data

into the segments (additionally, due the

encryption) as well as data recovering for

specific customers in case of failure or

data loss

All data stored by the customers has canonical

isolation by path and additional security

capabilities like the permissions, personal

entry points to access the data as well as

MFA. AWS encryption mechanisms are

available for S3 (Server Side Encryption),

EBS (encryption storage for EC2 AMIs),

SimpleDB, EC2 (due the EBS plus SSL), VPC

(encrypted connections and sessions).

Additionally, the customer can use any cloud

services offered a backup from and to AWS

services like SME Storage for cloud vendors

or Veeam Backup Cloud Edition for VMs

DG-01.1 An implementation of structured data-

labeling standard

Depends on the customers’ needs and their

requirements.

DG-02.1-5 An identifying ability of the VM via policy

tags/metadata to perform any quality

control/restrict actions like identifying

hardware via policy & tags/metadata,

using the geolocation as an authentication,

providing a physical geolocation, allowing

to choose suitable geolocations for

resources and data routing

The tenants are featured to apply any metadata

and tagging to the EC2 VMs to set the user-

friendly names and enhance searchability.

AWS offer several regions [19]. Each of them

is covered by geo location policy and access

as well as is able to be restricted by SSL, IP

address and a time of day. They offer move

data between each other directly by the

customers via API/SDK

DG-03.1 Any policies and mechanisms for labeling,

handling and security of data

As the customers retain ownership, they are

responsible to implement it.

136

DG-04.1-2 The technical capabilities to enforce tenant

data retention policies and documented

policy on government requests

The customers have capability manage

retention, control, and delete their data except

case when AWS must comply with law.

DG-05.1-2 A secure deletion (ex. degaussing /

cryptographic wiping) and providing the

procedures how a cloud vendor handles

this deletion

At the end of a storage useful life, AWS

performs a decommissioning process to

prevent data exposing via DoD 5220.22-

M/NIST 800-88 techniques. In additional the

device will be degaussed or physically

destroyed.

DG-07.1-2 A presence of the controls to prevent data

leakage / compromising between AWS’

tenants

There were not known the serious security

bugs of AWS environment successfully

applied or that cannot ‘patched’ by using the

implemented PCI controls [27-29] to make the

resources segmented from each other. A

hypervisor is designed to restrict non-allowed

connections between tenant resources

DG-08.1 An availability of control health data to

implementation a continuous monitoring to

validate the services status

AWS provides the independent auditor reports

under NDA and customers on their own

systems can build a continuous monitoring of

logical controls additionally implementing

[19].

FS-04.1 A ability to provide the customers a

knowledge which geo locations are under

traversing into/out of it in regards law

AWS imposes not to move a customers'

content from them without notifying in

compliance the law. The rest is similar to the

DG-02.5.

FS-06.1

FS-07.1

Availability of docs that explain if and

where data may be moved between

different locations, (e.g. backups) and

repurpose equipment as well as sanitizing

of resources

AWS imposes control the customers to

manage the data locations. Data will not be

moved between different regions, only inside

that were chosen to prevent failure. The rest is

similar the DG-05.1-2 (talks about the AWS

side only)

IS-04.1-3 An ability to provide the documents with

security recommendations per each

component, importing the trusted VMs as

well as capability to continuously monitor

and report the compliance

Customers are able [11] to use their own VMs

due the image importing via AWS VM

Import, as well as AWS Import/Export

accelerates moving large amounts of data

into/out in case of backup or disaster recover.

The rest is similar to the DG-08.1 in order to

ISO (domain 12.1, 15.2)

IS-05.1 An ability to notify the customers on

information security/privacy polices

changes

Despite of AWS provides a lot of how-to-

docs, binary & sources [10-18], [28-29] are

regularly updated, it’s better to subscribe to

the news via RSS and email, because there is

no other directly way to be notified

IS-08.1-2 A docs described how the cloud vendor

grant and approve access to tenant data

and if provider & tenant data classification

methodologies is aligned with each other

The customers as data owners are responsible

for the development, content, operation,

maintenance, and use of their content.

IS-09.1-2 A revocation/modification of user access

to data upon any change in status of

employees, contractors, customers, etc.

Amazon provides enough security control to

maintain an appropriate security policy and

permissions not to let spreading the data if it is

137

explicitly not allowed that also built by AWS.

The rest is similar to the IS-07.1-2 in regards

AWS staff

IS-12.1-2 A participation in the security groups with

benchmarking the controls against

standards

AWS policies is based on COBIT, ISO

27001/27002 and PCI DSS

IS-13.1 A documentation clarifying the difference

between administrative responsibilities vs.

those of the tenant

AWS provides these roles among the general

security documents (it means not among the

specific services documents)

IS-17.1-3 Any policies to address the conflicts of

interests on SLA, tamper audit, software

integrity, and detect changes of VM

configurations

AWS provides the details SOC 1 Type II

report in compliance with ISO 27001 (domain

8.2, 11.3) that validated by independents

auditors

IS-18.1-2

IS-19.1-4

Ability to create and manage unique

encryption keys per a tenant, to encrypt

data to an identity without access to a

public key certificate (identity based

encryption) as well, to protect a tenant data

due the transmission, VMs, DB and other

data via encryption, and maintain key

management

If keys created on server side, AWS creates

the unique keys and utilizes it, if it did on

client side due the own or 3rd party solutions,

the customers can manage it only. AWS

encryption mechanisms are available for S3

(Server Side Encryption), EBS (encryption

storage for EC2 AMIs), SimpleDB, EC2 (due

the EBS plus SSL), VPC (encrypted

connections and sessions), etc.

IS-20.1-6 An ability to perform vulnerability scans in

regards to the recommendations on

application-layer, network-layer, local OS

layer and patching then. Providing the info

about issues to AWS who makes it public

Similar to the CO-03.1-2 but more detail that

means the customers are should performing

vuln scan and patching despite of the VMs’

OS are coming with the latest updates; they

are obliged to come to the agreement with

AWS and not violate the Policy. Also similar

to the CO-02.6-7 on providing the results [21-

23]

IS-23.1-2

IS-24.1-4

An ability of SIEM to merge data sources

(app logs, firewall logs, IDS logs, physical

access logs, etc.) for granular analysis and

alerting. Additional providing an isolation

of the certain customers due incident.

AWS have this one in compliance with ISO

and Even the customers’ data stored with

strong isolation from AWS side and

restrictions made by them all data should be

encrypted on client side, because it leads to

participation with law directly as AWS does

not get the keys in this case.

IS-28.1-2

IS-29.1

An ability to use an open encryption

(3DES, AES, etc.) to let tenants to protect

their data on storage and transferring over

public networks. As well, an availability of

logging, monitoring and restriction any

access to the management systems

controlled hypervisors, firewalls, APIs,

etc.)

AWS encryption mechanisms are available for

S3 (Server Side Encryption), EBS (encryption

storage for EC2 AMIs), SimpleDB, EC2 (due

the EBS plus SSL), VPC (encrypted

connections and sessions). Customers may use

third-party encryption technologies too as well

as rely on the AWS APIs are available via

SSL-protected endpoints. AWS has a logging

feature, delineates the minimum standards for

logical access to AWS resources and provides

details with SOC 1 Type II report

IS-34.1-3 An ability to monitor and segment/restrict

the key utilities managed virtualized

AWS has this one and provides details with

SOC 1 Type II report. AWS examines such

138

partitions (ex. shutdown, clone, etc.) as

well as ability to detect attacks (blue pill,

etc.) to the virtual key components and

prevent from them

attacks and provides information if they apply

in section “Security Bulletins” [35]. An

example of blackbox attack [27],[28] was

given in the Section II of this paper with a

native security features as a solution

SA-02.1-7 A capability to use the SSO, an identity

management system, MFA Policy

Enforcement Point capability (ex.

XACML), to delegate authentication

capabilities, to support identity federation

standards (SAML, SPML, WS-Federation,

etc.), use 3rd party identity assurance

services

AWS IAM [15-18] provides the securely

access and roles to the resources with features

to control access, create unique entry points of

users, cross AWS-accounts access due

API/SDK or IAM console, create the

permissions with duration and geo auth. AWS

offers identity federation and VPC tunnels to

utilize existing corporate identities to access.

Additionally, customers may avoid the

mistakes and risks by using AWS Policy

Generator and MFA devices [20].

SA-03.1

SA-04.1-3

SA-05.1

Any industry standards as a background

for a Data Security Architecture standards

(NIST) to build-in security for SDLC,

tools detecting the security defects and

verify the software. An availability of I/O

integrity routines for application

interfaces, DB to prevent errors and data

corruption

AWS Security based upon the best practices

and standards (ISO 27001/27002, CoBIT, PCI

DSS) that certified by independent auditors to

build threat modeling and completion of a risk

assessment as a part of SDLC. AWS

implements this one through all phases

including transmission, storage and processing

data in compliance to ISO 27001 (domain

12.2) that certified by independent auditors.

SA-06.1-2

SA-08.1

Environment separation for

SaaS/PaaS/IaaS, providing how-to-docs

AWS provides a lot of how-to-docs, binary &

sources [10-18],[28-29]

SA-07.1 A MFA features are strong requirement for

all remote access

MFA is not strong and depends on the

customer configuration [20]

SA-09.1-4

SA-10.1-3

SA-11.1

A segmentation of system and network

environments with a compliance, law,

protection, and regulatory as well as a

protection of a network environment

parameter

An internal segmentation is in alignment with

ISO and similar to the CO-05.1-2 while

external is a part of the customer

responsibility. Internally, a traffic restriction is

under ‘deny/allow’ control by default.

Externally, customers may use SSL,

encryption key, encryption solutions, security

policies to explicitly approve the security

settings

SA-12.1 A NTP or other similar services AWS services rely on the internal system

clocks synchronized via NTP

SA-13.1 An equipment identification is as a method

to validate connection authentication

integrity based on known location

AWS provides such ability, for example due

the AWS metadata, geo tags and other tags

created by the customers

SA-15.1-2 A mobile code authorization before its

installation, prevention from executing and

using to a clearly defined security policy

The customers are responsible to manage it to

meet their requirements.

139

Table 4 AWS solutions against a CCM

CID Control Specification AWS Response

CO-01 Audit plans, activities and operational

action items focusing on data duplication,

access, and data boundary limitations with

aim to minimize the risk of business

process disruption.

AWS has appropriate technical solutions,

internal controls to protect customer data

against alteration/destruction/loss/etc. Any

kind of additional audit information is

provided to the customers under NDA

CO-02 Independent reviews shall be performed

annually/planned intervals to aim a high

effective compliance policies, standards

and regulations (i.e., internal/external

audits, certifications, vulnerability and

penetration testing)

AWS shares 3rd audit reports under NDA

with their customers. Such audit covers

regularly scans of their (non-customer)

services for vulnerabilities [22-23] while the

customers are allowed to request for a pentest

[21] of their own instances

CO-03 3rd party service providers shall

demonstrate compliance with security due;

their reports and services should undergo

audit and review.

AWS requires to meet important privacy and

security requirements conducting 3rd parties

in alignment ISO 27001 (domain 6.2)

CO-06 A policy to safeguard intellectual property AWS will not disclose customer data to a 3rd

party unless it is required by law and will not

use data except to detect/repair problems

affecting the services

DG-01 All data shall be designated with

stewardship with assigned responsibilities

defined, documented and communicated.

Customers are responsible for maintaining it

regarding their assets

DG-02 Data, and objects containing data, shall be

assigned a classification based on data

type, jurisdiction of origin, jurisdiction

domiciled, etc.

AWS allows customers to classify their

resources by themselves (ex. applying any

metadata and tagging to the EC2 VMs to set

the user-friendly names & enhance

searchability)

DG-03 Policies/mechanisms for labeling, handling

and security of data and objects which

contain data

Similar to DG-02

DG-04 Policies for data retention and storage as

well as implementation of backup or

redundancy mechanisms to ensure

compliance with regulatory and other

requirements that validated regularly

AWS infrastructure is validated regularly any

purposes in alignment with security standards

and featured by AWS EBS and Glacier (for

data archiving and backup), but the customers

have capability manage it due the API/SDK

DG-05 Policies and mechanisms for the secure

disposal and complete removal of data

from all storage media, ensuring data is not

recoverable by any computer forensic

means.

AWS rely on best practices to wipe data via

DoD 5220.22-M/NIST 800-88 techniques; if it

is not possible the physical destruction

happens

DG-06-07 Security mechanisms to prevent data

leakage.

AWS has implemented logical (permissions)

and physical (segmentation) controls to

prevent data leakage. (ex. a hypervisor is

designed to restrict non-allowed connections

between tenant resources, however the end-

users are responsible to manage the right

sharing permissions

140

FS-06

FS-07

Policies and procedures shall be

established for securing and asset

management for the use and secure

disposal of equipment maintained and used

outside the organization's premise.

AWS imposes control the customers to

manage the data locations. Data will not be

moved between different regions, only inside

that were chosen to prevent failure.

FS-08 A complete inventory of critical assets

shall be maintained with ownership

defined and documented.

AWS maintains a formal policy that requires

assets, the hardware assets monitored by the

AWS personnel and maintain the relationships

with all AWS suppliers are possible in comply

ISO 27001 (domain 7.1) for additional details.

IS-01

IS-02

IS-03

An implementation of ISMP included

administrative, technical, and physical

safeguards to protect assets and data from

loss, misuse, unauthorized access,

disclosure, alteration, and destruction

AWS implements ISMS to address

security/privacy best practices and provides

details under NDA the appropriate

documentation

IS-04 An implementation of baseline security

requirements for applications / DB /

systems / network in compliance with

policies / regulations/standards.

Baseline security requirements are technically

implemented with ‘deny’ configuration by

default and documents among the AWS

security documents for all services (ex. [10-

18])

IS-05 An information security policy review at

planned intervals

Despite of AWS provides a lot of how-to-

docs, binary & sources [10-18], [28-29] are

regularly updated, it’s better to subscribe to

the news via RSS and email, because there is

no other directly way to be notified by AWS

IS-07-08 An implementation of user access policies

and for granting/revoking access to apps to

apps, DB, and the rest in accordance with

security, compliance and SLA.

All AWS services featured by IAM that

provides powerful permissions items with

predefined templates;

IS-18

IS-19

Implemented policies / mechanisms

allowing data encryption in storage (e.g.,

file servers, databases, and end-user

workstations) and data in transmission

(e.g., system interfaces, over public

networks, and electronic messaging) as

well, key management too

If keys created on server side, AWS creates

the unique keys and utilizes it, if it did on

client side due the own or 3rd party solutions,

the customers can manage it only. AWS

encryption mechanisms are available for S3

(Server Side Encryption), EBS (encryption

storage for EC2 AMIs), SimpleDB, EC2 (due

the EBS plus SSL), VPC (encrypted

connections and sessions), etc.

IS-20 Implemented policies and mechanisms for

vulnerability and patch management on

side of apps, system, and network devices

AWS provides their services with the latest

updates, performs analyzing software updates

on their criticality as well as customer

partially ability to perform vuln scans and

patching despite of that and not violate the

Policy [21-23]

IS-21 A capability of AV solutions to detect,

remove, and protect against all known

types of malicious or unauthorized

software with antivirus signature updates

at least every 12 hours.

AWS does manage AV solutions & updates in

compliance to ISO 27001 that confirmed by

independent auditors. Additionally, customers

should maintain their own solutions to meet

their requirements

IS-22 Policies and procedures to triage security AWS has defined role responsibilities and

141

related events and ensure timely and

thorough incident management.

incident handling in internal documents in

compliance with ISO and provides the SOC 1

Type Report

IS-23

IS-24

Information security events shall be

reported through predefined

communications channels in a prompt and

expedient manner in compliance with

statutory, regulatory and contractual

requirements

AWS contributes with it over [21-23]

IS-26 Policies and procedures shall be

established for the acceptable use of

information assets.

According to AWS, the customers manage

and control their data only unless it needs due

the law requirements or troubleshooting aimed

at fix services issues

IS-32

IS-33

Policies and mechanism to limit access to

sensitive data (especially an application,

program or object source code) from

portable and mobile devices

AWS has this one, delineates the minimum

rights for logical access to AWS resources and

provides details with SOC 1 Type II report

RS-01-08 Documented policy and procedures

defining continuity and disaster recovery

shall be put in place to minimize the

impact of a realized risk event on the

organization to an acceptable level and

facilitate recovery of information assets

through a combination of preventive and

recovery controls, in accordance with

regulations and standards. Physical

protection against damage from natural

causes and disasters as well as deliberate

attacks including fire, flood, etc. shall be

implemented.

Such policies are in alignment with ISO 27001

( domain 14.1);

AWS provides a Cloudwatch services to

monitor the state of AWS EC2, EBS, ELB,

SQS, SNS, DynamoDB, Storage Gateways as

well as a status history [19]. AWS provides

several Availability Zones in each of six

regions to prevent failures, but the customers

are responsible to manage it across regions or

other clouds vendors via API and SDK. A

physical protection is in compliance ISO

27001 and 27002. Information about the

transport routes is similar to the FS-06.1

SA-02 An implementation of user credential and

password controls for apps, DB, server and

network infrastructure, requiring the

following minimum standards

AWS IAM [15-18] provides the securely

access and roles to the resources with features

to control access, create unique entry points of

users, cross AWS-accounts access due

API/SDK or IAM console, create the powerful

permissions with duration and geo auth. AWS

offers identity federation and VPC tunnels led

to utilizing existing corporate identities to

access, temporary security credentials.

Additionally, the customers may avoid the

mistakes and risks by using an AWS Policy

Generator and MFA devices [20]. IAM allows

creating and handling the sets defined in

accordance with the subrules of SA-02 (in

original of CMM).

SA-06

SA-08

A segmentation of production and non-

production environments to prevent

unauthorized access, restrict connections

between trusted & untrusted networks for

use of all services, protocols, ports allowed

AWS provides a lot of how-to-docs, binary &

sources (as an example [10-18],[28-29])

142

SA-07 A requirement of MFA for all remote user

access.

MFA is not by default and depends on the

customer configuration [20]

SA-09

SA-10

SA-11

A system and network environments

separation via firewalls in regards to

isolation of sensitive data, restrict

unauthorized traffic, enhanced with strong

encryption for authentication and

transmission, replacing vendor default

settings (e.g., encryption keys, passwords,

SNMP community strings, etc.)

An internal segmentation is in alignment with

ISO and similar to the CO-05.1-2 while

external is a part of the customer

responsibility. Internally, a traffic restriction is

too and has ‘deny/allow’ option in EC2/S3 by

default (but the explicitly cfg is

recommended), etc. Externally, the customers

are able to use SSL, encryption key,

encryption solutions, security policies to

explicitly approve the security settings (AWS,

3rd party or their own)

SA-12 An external accurate time to synchronize

the system clocks of all information-

processing systems (US GPS & EU

Galileo Satellite)

AWS services rely on the internal system

clocks synchronized via NTP

SA-13 A capability of an automated equipment

identification as a part of authentication.

AWS provides such ability, for example due

the metadata, geo tags and other tags created

by the customers

SA-14 Audit logs recording privileged user access

activities, shall be retained, complying

with applicable policies and regulations,

reviewed at least daily and file integrity

(host) and network intrusion detection

(IDS) tools implemented to help

investigation in case of incidents.

AWS have this one in compliance with ISO

and provides the results with SOC 1 Type II

Report. AWS has the incident response

program in compliance too. Even the

customers’ data stored with strong isolation

from AWS side and restrictions made by

them, additional materials (SOC 1 Type II

report) must be requested to clarify all

questions on forensics. All data should be

encrypted on client side, because it leads to

the customers participation with law directly

as AWS do not have the keys in this case.

SA-15 A mobile code authorization before its

installation, prevention from executing and

using to a clearly defined security policy

The customers are responsible to manage it to

meet their requirements.

4. CONCLUSION

Any complex solutions and systems like AWS, Azure, or GAE tend to prone to security

compromise, because they have to operate large-scale computations, dynamic configuration.

Clouds vendors do usually not disclose the technical details on security to the customers, thus

raising question how to verify with appropriate requirements. The cloud security depends on

whether the cloud vendors have implemented security controls that documented and enhanced

with policy. However, there is a lack visibility into how clouds operate; each of them differs

from other in levels of control, monitoring and securing mechanisms that widely known for

non-cloud systems. The potential vulnerability requires a high degree of security combined with

transparency and compliance. AWS relies on security frameworks based on various standards

that certified by auditors and help customers to evaluate if/how AWS meets the requirements.

CAIQ/CCM provide equivalent of them over several standards. Partially bad idea is public

documents filled by vendors with general explanations referred to NDA reports multiplied by

common recommendations.

143

Besides the details from 3rd

party audit reports customers may require assurance in order to local

laws and regulations. It is quite complicated of reducing the implementation and configuration

information as a part of proprietary information (that is not bad or good, just complicated). In

other words it may call for specific levels of audit logging, activity reporting, security

controlling and data retention that are often not a part of SLA offered by providers. A result of

an examination of AWS security controls against security standards/regulations shown in [8]

and partially in [7] is successfully passing standards by use of native security features

implemented in AWS Console, CLI and API/SDK only. It additionally includes cases that the

current AWS security features should to be enhanced via third party security solutions like

national encryption on client side before uploading data and ability to indirectly comply with

requirements. Talking about security enhance, not only security controls belong to cloud layer

(outside the VMs) should be used to protect data, communications, memory etc. but also

internal OS controls and 3rd

party solutions together. It excludes obsolescent clauses and cases

‘just wait’ a solution from AWS of inability to build and implement appropriate. OS and third

party solutions are known for non-clouds system allow protecting critical and confidential

information is present in different system, configuration and other files to avoid alteration,

exposing, accessing of them.

Examination cloud solutions such as Azure, BES with AWS & Azure, and Office365 with

Cloud BES against other standards is a part of further research, however the signification

direction is improving existing CSA and NIST recommendations in order to enhance

transparency via utilization primarily technical requirements: on cloud layer, on inter-VM/DB

& inter-cloud-services layer, on VM/DB layer.

5. REFERENCES

[1] Mell P. & Grance T. (2011) The NIST definition of cloud computing. recommendation of the

national institute of standards and technology, NIST

[2] Abuhussein, H. Bedi, S. Shiva, (2012) “Evaluating Security and Privacy in Cloud Computing

Services:A Stakeholder’s Perspective”, The 7th International Conference for Internet Technology

and Secured Transactions, pp. 388 – 395, Dec 2012

[3] Feng, J., Chen, Y.& Liu, P. (2010) “Bridging the Missing Link of Cloud Data Storage Security in

AWS,” 7th

Consumer Communications and networking Conference (CCNC), pp.1-2, Jan 2010

[4] Hu, Y., Lu F., Khan, I. & Bai, G. (2012) "A Cloud Computing Solution for Sharing Healthcare

Information”, The 7th International Conference for Internet Technology and Secured

Transactions, pp. 465 – 470, Dec 2012

[5] “Google cloud services – App Engine”. [Online resource:

www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]

[6] “Technical Overview of the Security Features in the Windows Azure Platform”. [Online resource:

www.google.com/enterprise/cloud/appengine/, Accessed:23-Nov-12]

[7] Chemerkin, Y. (2012) “AWS Cloud Security from the point of view of the Compliance”, PenTest

Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa, vol. 2 №10 Issue 10/2012 (12)

ISSN 2084-1116, pp. 50-59, Dec 2012

[8] Chemerkin, Y. “Analysis of Cloud Security against the modern security standards”, draft (is going

to be published in PenTest Magazine, Software Press Sp. z o.o. Sp. Komandytowa Warszawa in

May

[9] Kissel, R., Scholl, M., Skolochenko, S. & Li, X. (2006) “Guidelines for media sanitization:

Recommendations of the national institute of standards and technology,” in NIST SP 800-88

Report

[10] “Amazon EC2 Microsoft API Reference. [Online resource:

docs.aws.amazon.com/AWSEC2/latest/APIReference/, Accessed:05-Dec-12]

144

[11] “AWS Import/Export Developer Guide. [Online resource:

aws.amazon.com/documentation/importexport/, Accessed:16-Dec-12]

[12] “Amazon Virtual Private Cloud Network Administrator Guide. [Online

resource:docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide, Accessed:05-Dec-12]

[13] “Reported SSL Certificate Validation Errors in API Tools and SDKs”, [Online resource:

aws.amazon.com/security/security-bulletins/reported-ssl-certificate-validation-errors-in-api-tools-

and-sdks/, Accessed:15-Jan-13]

[14] “Amazon S3 API Reference. [Online resource: docs.aws.amazon.com/AmazonS3/latest/API/,

Accessed:20-Dec-12]

[15] “Amazon IAM API Reference. [Online resource:

docs.aws.amazon.com/IAM/latest/APIReference/, Accessed:29-Dec-12]

[16] “Amazon Using Temporary Security Credentials. [Online resource:

docs.aws.amazon.com/IAM/latest/UsingSTS/, Accessed:29-Dec-12]

[17] “Amazon AWS Security Token Service API Reference. [Online resource:

docs.aws.amazon.com/STS/latest/APIReference/, Accessed:29-Dec-12]

[18] “Amazon Command Line Reference. [Online resource:

docs.aws.amazon.com/IAM/latest/CLIReference/, Accessed:29-Dec-12]

[19] “AWS Services Health Status” [Online resource: status.aws.amazon.com/, Accessed:16-Feb-13]

[20] “AWS MFA” [Online resource: aws.amazon.com/mfa, Accessed:16-Feb-13]

[21] “AWS Vulnerability/Pentesting Request Form” [Online resource:

portal.aws.amazon.com/gp/aws/html-forms-

controller/contactus/AWSSecurityPenTestRequest,Accessed:16-Feb-13]

[22] “AWS Abuses reports (EC2, other AWS services)” [Online resource:

portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse, Accessed:16-Feb-

13]

[23] “AWS Vulnerability Reporting” [Online resource: aws.amazon.com/security/vulnerability-

reporting/, Accessed:16-Feb-13]

[24] Medsger, J. & Srinivasan, A. (2012) "ERASE- EntRopy-based SAnitization of SEnsitive Data for

Privacy Preservation", The 7th International Conference for Internet Technology and Secured

Transactions, pp. 427 – 432, Dec 2012

[25] “DRAFT Cloud Computing Synopsis and Recommendations,” NIST Special Publication 800-146.

[Online resource: csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf,

Accessed:06-Jan-13]

[26] “Security Whitepaper. Google Apps Messaging and Collaboration Products”, [Online resource:

cryptome.org/2012/12/google-cloud-sec.pdf, Accessed:23-Nov-13]

[27] Somorovsky, J., Heiderich, M., Jensen, M., Schwenk, J., Gruschka, N. & Iacono, L.L. (2011) "All

Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces", 3rd ACM

workshop on Cloud computing security workshop (CCSW), pp.3-14, Oct 2011

[28] “Reported SOAP Request Parsing Vulnerabilities”, [Online resource:

aws.amazon.com/security/security-bulletins/reported-soap-request-parsing-vulnerabilities-reso/,

Accessed:15-Jan-13]

[29] “Xen Security Advisories”, [Online resource: aws.amazon.com/security/security-bulletins/xen-

security-advisories/, Accessed:15-Jan-13]

[30] “The Essential Intelligent Client”, [Online resource:

www.vmworld.com/servlet/JiveServlet/downloadBody/5700-102-1-

8823/Intel%20The%20Essential%20Intelligent%20Client.pdf, Accessed:15-Jan-13]

145

[31] Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR [Online resource:

news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html/, Accessed:22-Nov-13]

[32] “The most dangerous code in the world: validating SSL certificates in non-browser software”, 19th

ACM Conference on Computer and Communications Security, pp. 38-49, Oct 2012

[33] “CSA Consensus Assessments Initiative Questionnaire v1.1” [Online resource:

cloudsecurityalliance.org/research/cai/, Accessed:22-Dec-12]

[34] “CSA Cloud Controls Matrix v1.3” [Online resource: cloudsecurityalliance.org/research/cai/,

Accessed:22-Jan-13]

[35] “AWS Securtiy Bulletins” [Online resource: aws.amazon.com/security/security-bulletins/,

Accessed 16-Feb-13]