Cloud computing understanding security risk and management
1 like•1,240 views
This paper aims to inform cloud service consumers about cloud computing fundamentals, including services, deployment options, and security risks as per the CSA's Trusted Cloud Reference Architecture. It highlights the importance of understanding service models (IaaS, PaaS, SaaS), shared resources risks, and a joint responsibility for security between consumers and providers. The conclusion emphasizes that proper implementation considering security, governance, and legal requirements is crucial for successful cloud computing adoption.
Cloud computing understanding security risk and management
- 1. Cloud Computing - understanding security risk and management The aim of this paper is to make cloud service consumer aware about cloud computing fundamentals, its essential services, service models and deployment options. This also through light on security and risk management piece of CSA trusted cloud reference architecture, cloud control matrix and notorious nine threats and ENISAs top risks to cloud computing. At the end it talks about certifications and attestation part. Author – Shamsundar Machale (CISSP)
- 2. Fig.1 NIST Visual Model of Cloud Computing Definition Any cloud should demonstrate the certain essential characteristics to get full benefits of cloud. Any missing essential characteristic would not give you 100% benefit from cloud computing. Whatever is not your core, outsource it. Similarly maintaining capex IT infrastructure, information is not your core so outsource it to some specialized agency i.e. Cloud Service Provider (CSP) Multi-tenancy is the fundamental used in resource pooling but keep in mind that resource pooling is not limited to your server and storage, it is extended to network connectivity, physical security, administration of cloud services and last but not least is your facility space. CSP uses the same infrastructure to provide services to multiple clients from same or different geographies. This provides great benefit to Cloud consumer (CC) by not having direct capital investment and pay per use model of cloud. Only required amount of compute, storage etc. are provisioned and no extra investment is done by CC. At the same time resource pooling might become huge risk if attacker uses shared pooled resource to steal sensitive information processed by CC. this is possible through attacks such as guest hopping attack or side channel attack to capture cryptographic keys. Second essential characteristic is on-demand self-service. The CC should be able to do the provisioning / de-provisioning of computing What is definition of Cloud Computing? Cloud computing is model for enabling continent, on-demand network access to a shared pool of configuration computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management efforts or services provider interaction The above NIST definition defines in what way you can deploy cloud, what service offerings you can make available and what are the essential characteristics of cloud Fig. 1 represents the visual model of above NIST cloud computing definition. Let’s take a deeper look into the definition.
- 3. resources by themselves with minimum administrative involvement from CSP. The lead time required doing the provisioning and de-provisioning should be reduced significantly. Rapid elasticity means CC should be able to do expansion and contraction of services as per their requirements with immediate effect and it will be charged on pay per usages policy. There should not be any locking CSP side while reducing the required level of resources. As there is trend of BYOD and consumerization, people want to access applications locations and end device independent which essentially means there should not be any restriction on your work location, it can be work from office, home or cafe and how do you access it, is it through your desktop, laptop, smartphone or tablet. Lastly CC should be able to measure services offered by CSP through SLA. Let’s take a look at service offering models; there are typically three kind of service offering models as below IaaS (Infrastructure as a Service) – Here you will get only infrastructure like compute and storage. This is nothing but plain vanilla virtual machine with operating system e.g. Amazon EC2 and S3, Rackspace etc. PaaS (Platform as a Service) – Here you expect little bit more from CP which will help in development of applications on provided infrastructure. It includes development tools, configuration management and deployment platforms such as Microsoft Azure, Force and Google App engine. SaaS (Software as a Service) – this is full package of application, CC has to just use it and don’t worry how and where it is running, who is managing the show? It is pure service such as online CRM system (Salesforce.com), online office tools (Office 365), online content filtering and messaging etc. As you move from IaaS to SaaS CC loses control on the services whereas CSP gains more control which is depicted in below figure. Fig-2
- 4. Now we will look at third tier of cloud computing definition which is nothing but deployment options. As you seen in the above visual model there are four ways in which cloud services can be deployed. Public Cloud – Available publicly, multiple customers can avail same services with different SLA commitments Private Cloud – Build specifically for single customer and available to only one customer Community Cloud – Services can be offered to same of customers which are forming community such as cloud services for power generation companies, cloud services for manufacturing industry etc. Hybrid Cloud – Combination of any of the above Below table provides more information about the deployment models Fig.3
- 5. As mentioned above security of cloud services is joint responsibility of CC and CSP which purely depends on the service offering. As per CSA’s “ Trusted cloud Reference Architecture version 2.0 “, Security and Risk Management is one of the key building block to focus if you want to build trusted cloud Fig.4 CSA Trusted cloud security reference arcthitecture This block basically talks about below domains. Governance Risk and Compliance - how are you going to manage governance, risk, audit, vendor, policy and awareness around CSP support staff? InfoSec Management – capability management, risk portfolio, risk dashboard, and residual risk management Privilege Management Infrastructure – This purely focuses around how effectively you manage the identities in the cloud. How secure is your authentication service? How do you manage authorization and accountability of identities in the cloud? How privilege identities are handled? Threat and Vulnerability Management - How do you keep environment vulnerability free, up to date with latest patches and assurance on compliance testing to CC. What is Security for Cloud Computing? As per CSA, Security controls in cloud computing are, for the most part, no different than security controls in any IT environment. However, because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solutions. This means we have to focus on defense in depth approach for security in cloud computing The focus of defense in depth approach is always a data at center and different type of controls such as Administrative, Technical and Physical are wrapped around data. For example physical security has the same importance in both traditional data center and cloud based datacenter.
- 6. Infrastructure Protection Services - How do you protect your applications, operating systems on servers, databases, network and end points. What kind of technical controls are put around these? Do you have perimeter firewall at network level, whether servers are locked down as per hardening guidelines, do you have Anti-virus, HIPS / HIDS installed at the end points, logging and monitoring enabled, application level firewall and web content filtering Data Protection – how well are you managing the data lifecycle, what controls are placed to prevent the Data loss, how are you protecting your intellectual properties and how effective is your cryptographic service management. Policies and Standards – Have you defined information security policies, guidelines based on different industry standards like ISO 27001. Whether operational security baseline and standard operating procedures defined and followed within the organization. Whether asset / data classification guidelines are defined and practiced within team. CSA has defined the Cloud Controls Matrix which provides fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider. The latest version of Cloud Controls Matrix is CCM v3.0.1 As per this control matrix there are 133 controls divided into 16 domains of CSA cloud security. Fig.5 CCMv3.0.2 Domains Risk Management is one of the important aspect of cloud computing. There is no different strategy for management of risk in the cloud. You have to follow the conventional approach of performing the risk assessment based on certain framework and management of these risk either through risk mitigation by use of certain controls, transfer, avoid or accept the risk. As per ENISA’s “ Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012 ” document cloud risks are classified into three categories “Policy and Organizational Risks”, “Technical Risks”, and “Legal Risks”
- 7. Below figure represents the top rated risk identified by ENISA based on the probability and impact of the risk. Fig.6 ENISA top security risks to cloud computing If you refer to below table which list down “ The Notorious Nine – Cloud Computing Top Threats in 2013” you will find certain risk / threats are common in both the documents such as Malicious Insider / Cloud Provider Malicious Insider, shared technology issue / isolation failure, insecure APIs / Management interface compromise Fig.7 – Notorious Nine Threats to Cloud Computing Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology Issues
- 8. Security Certification and Attestations – CSPcan provide the assurance to CC on current compliance level with respect to different standards, legal and regulatory requirements through certain security certifications and attestations. Below figure provides the security certifications obtained by different CSPs. This is just a reference and CC is kidnly reuquested to obtain list of current certifications during evaluation of CSP Fig.8 – Security Certifications and Attestations Conclusion - Cloud computing is double edged sword which provides good amount of benefits but only if implemented properly considering all security, governance, privacy and legal requirements. Risk assessment and due diligence would be the key for cloud consumers to make their case as success story.
- 9. References – “CSA Trusted cloud Reference Architecture version 2.0” “CSA Cloud Controls Matrix, CCM v3.0.1” “The Notorious Nine – Cloud Computing Top Threats in 2013” ENISA’s “Cloud Computing Benefits, risks and recommendations for information security Rev.B-2012” The Forrester Wave™: Public Cloud Platform Service Providers’ Security, Q4 2014 END OF DOCUMENT