1 Isaac Potoczny-Jones Galois, Inc. Portland, OR ABSTRACT Cloud computing can be particularly beneficial to small businesses since it can decrease the total cost of ownership for IT systems. Unfortunately, one of the major barriers to adoption of cloud services is the perception that they are inherently less secure, exposing the organization to unacceptable risk. There are standard processes for managing security risk that can help businesses make trade-off decisions, but these processes currently cannot be applied to cloud computing since the security details of cloud services are not typically available to small businesses. This lack of information leads to a lack of trust: small businesses cannot evaluate the security of cloud services. This paper proposes an approach for cooperation between cloud vendors and small businesses based on the NIST Risk Management Framework. Security Risk Agreements would address the lack of trust so that small businesses can confidently adopt cloud services, benefiting both small businesses and cloud vendors. Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Security and Protection. K.5.m [Legal Aspects of Computing]: Miscellaneous contracts. General Terms Legal Aspects, Security, Standardization. Keywords Cloud Security, Security Risk Agreement, Service Level Agreement, Risk Management Galois, Inc.
2 1. INTRODUCTION Cloud computing is the concept of offering remote network access to a set of IT resources , and it has the potential to be very valuable to small businesses since it can decrease the total cost of ownership of IT systems. However, one of the major barriers to adoption of cloud services is the perception that they are inherently less secure, exposing the organization to unacceptable risk . This perception is based on the existence of vulnerabilities that are unique-to or amplified-by typical cloud-based architectural approaches and since cloud services are hosted remotely   . Risk-based security analyses such as NIST s Risk Management Framework  are a widely-adopted method for making security decisions. Such a risk-based analysis of cloud services would allow a small business to make cost-benefit decisions about whether to deploy cloud services since they could analyze the vulnerabilities and implement security controls. However, the security details of cloud services are not typically available to a small business. This lack of information leads to a lack of trust: small businesses cannot evaluate the security of cloud services. This paper proposes that cloud service providers should offer a Security Risk Agreement (SRA), which is a kind of Service Level Agreement (SLA) tailored to providing small businesses the information they need to evaluate whether a certain cloud service will meet their security requirements. Increased trust will increase adoption, benefiting both the business and the cloud vendors. This type of agreement would address the widespread lack of trust in cloud security through an explicit and mutual understanding, based on a widely-adopted risk framework. 2. BENEFITS TO SMALL BUSINESSES Cloud computing is gaining attention since it is believed that it increases flexibility and decreases the cost of IT services. NIST defines cloud computing as, a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction . The US federal Chief Information Officer Vivek Kundra has argued that cloud computing is economical, flexible, can be rapidly implemented, can improve consistency in service, can be more energy efficient, and can increase an organization's ability to focus on its mission since it can spend less time and fewer resources on information technology . For example, small Internet-based businesses which cannot predict their bandwidth, storage, and CPU utilization might appreciate the flexibility that services like Amazon's EC2 system provide since they can automatically scale based on the required usage. Furthermore, services like Google Docs can provide capabilities, like word processing, that are enhanced with collaborative aspects since multiple users can modify a document simultaneously. For small user bases such cloud-based services are often free. Cloud vendors and NIST both argue that cloud computing has some security advantages, and indeed can be more secure in some cases since, for instance cloud vendors have dedicated security teams . For instance, Google has deployed multi-factor authentication  which increases the security of the login process. All of these elements should make cloud computing attractive to small businesses, since they can save on investment in IT and security specialists Galois, Inc. Page 2 of 8
3 3. CLOUD RISK MANAGEMENT As with any technology, such benefits are partly offset by the existence of risks, and in particular for cloud computing, security tops the list of concerns for most organizations . Risk-based security analyses are a widely-adopted method for making security decisions and are required for federal systems covered by FISMA  and health-care related systems covered by HIPAA . A risk-based analysis of cloud services would allow a small business to make cost-benefit decisions about whether to deploy cloud services since they explicitly weigh the impact of potential security problems against the cost of mitigating those problems. Processes for managing security risk have been developed by a number of organizations, but these processes are of limited applicability in cloud computing, since cloud vendors do not supply risk information about their services. One risk analysis process is the Risk Management Framework (RMF) which is outlined in detail in NIST's documentation  and involves understanding the impact of a loss of Confidentiality, Integrity, or Availability (CIA) to an organization's data or systems. The impact of such a loss is categorized as low, moderate, or high, depending on the reputation, financial, and human costs of an event. For instance, a high impact security event might involve the loss of human life . Based on this impact assessment, the process goes on to define steps for identifying vulnerabilities, selecting and deploying security controls to manage those vulnerabilities, and ongoing assessment and monitoring of their effectiveness. When an organization stores its data in a cloud-based system, that system becomes a part of its IT infrastructure since a CIA failure in a cloud system would impact that organization's data. Furthermore, the cost savings of cloud computing can be offset by the level of risk it imposes. Therefore, a small business's cost/benefit analysis should include a risk analysis of those systems before moving the organization's data to them. 4. VULNERABILITIES AND SHARING Cloud computing involves a number of vulnerabilities that are not present in traditional environments where an organization physically controls its own computing resources and does not share hardware or software resources with other organizations or the general public. The level of sharing between customers can vary greatly depending on the service. For the sake of argument, let's say that for a given level of sharing, there is some possibility that a malicious individual is sharing resources with an organization that wishes to protect its data. A greater level of sharing implies a higher degree of risk (all other things being equal) since the pool of users is more likely to include malicious users. Small businesses, whose resources are subject to a high degree of sharing, are therefore subject to high risk. This section outlines different sharing models (which are not mutually exclusive) and related vulnerabilities: 4.1. Cloud Deployment Types NIST defines three categories of cloud deployments: private, community, and public, and these each imply different types of sharing . Private clouds are those that are owned or leased by an enterprise, and so involve the least amount of sharing. These are likely outside the scope of what a small business can afford, so will not be discussed further. Community clouds are those that are shared by a set of organizations with some mutual trust. For example, Google's Apps for Government system has a separate cloud for organizations that are required to be FISMA compliant . This addresses a vulnerability that Mell & Grance point out: that data stored in the cloud could be subject to foreign governments' legal actions . Google addresses this by storing government data only within the US , but it doesn't make that guarantee for public cloud customers like small businesses Galois, Inc. Page 3 of 8
4 Public clouds are available to the general public and so involve the most sharing. These are the types of systems that most small businesses would use. The following sections outline other sharing models and related vulnerabilities that can apply to private, community, or public clouds. These vulnerabilities are probably more likely to have an impact in public clouds since they have a larger user pool, some of which might include malicious users Multi-Tenant vs. Dedicated Tenant Multi-tenant architectures allow multiple customers to use the same database and application instances . Although there are mitigations, such architectures can lead to SQL injection vulnerabilities where malicious users issue queries against the database holding sensitive information. Furthermore, errors in access control enforcement can lead to inadvertent disclosure of data . Dedicated tenant services host only a single customer, and so some such vulnerabilities might be more difficult, but this can come at the cost of performance Virtualization Vulnerabilities Virtualized systems run multiple virtual machines on a single physical host, and Gartner argues that such virtualized servers will be more vulnerable than physical servers for the next few years as organizations learn more about securing their systems . One vulnerability is that confidential information can be leaked when a malicious user is able to execute a virtual machine on the same Local Area Network. For instance, researchers have demonstrated the ability to estimate traffic rates, perform side-channel attacks in order to extract key material, and use timing channels to send covert data between machines . Another vulnerability is that if a malicious user is running a virtual machine on the same physical machine, there's some potential that they can execute some code that will give them control over the operating system that is executing all of the virtual machines. This has been demonstrated in practice  General Vulnerability Classes Other vulnerabilities are not necessarily specific to the method of deployment. Mell and Grance outline several general classes of security challenges  which include: Customers must trust the cloud vendor s security model. For instance, errors in the cryptographic implementation of cloud services could result in a loss of confidentiality of customer data as in . In order to trust the cloud vendor s security model, customers first need to understand the security claims made by the cloud vendor. For instance, the Dropbox cloud storage service has come under criticism for how it expressed security claims about its use of encryption, leading some customers to believe their data was cryptographically protected from Dropbox insiders  and resulting in an FTC complaint . Customers cannot necessarily respond to audit findings, for instance, when a Linux vulnerability affecting EC2 was discovered  administrators could not address the issue until Amazon released corrected kernels . Customers can have trouble obtaining support for investigations, for instance, if a security expert wishes to test their own EC2 service for vulnerabilities, they must request permission from Amazon, and certain types of testing are not permitted since it would affect other customers' shared resources . Proprietary implementations cannot be examined by the customer, for instance, one of the above vulnerabilities was visible to the public, and so was discovered by a customer, demonstrating the strength of transparency . Customers lose physical control of the IT systems, for instance, data hosted in a foreign country is subject to their laws. Even laws in the US are unfavorable since, as is pointed out in , cloud vendors can be subpoenaed for a customer's data, whereas if they stored the data themselves, a warrant would be required, which has a higher burden of proof Galois, Inc. Page 4 of 8
5 5. BARRIERS TO RISK-BASED ANALYSIS Thus far this paper has outlined cloud computing's potential benefits to small businesses, the necessity for small businesses to perform risk-based security analyses for cloud services, and the vulnerabilities that cloud computing is subject to. In order for small businesses and cloud vendors to reap the benefits of a shift to cloud services without small businesses having to sacrifice their ability to perform such analysis, cloud vendors should provide service-level agreements that include risk-based guarantees about the level of security of their infrastructure. Cloud vendors understand the necessity of risk analysis, at least in their engagements with the US federal government. Google and Microsoft both already provide FISMA compliant cloud services for government clients  , which involves risk-based analysis, but no such commitment is made to the general public. Cloud vendors also provide SLAs relating to performance and availability, and these agreements have reimbursement clauses which offer financial guarantees  , but no such guarantee is provided with regard to confidentiality and integrity. Cloud vendors also recognize the importance of conveying the security of their infrastructure   , likely because they understand that security is a major barrier to adoption. However, while these assurances are some comfort, they do not come with a guarantee, and are insufficient for risk management. 6. SECURITY RISK AGREEMENTS (SRAs) When a small business adopts cloud computing, they are outsourcing part of their IT infrastructure, and they therefore also must outsource some aspects of their risk management. A Security Risk Agreement should include principles of transparency and communication between the cloud vendor and the small business, the definition of security incidents and their severity, what level of guarantee the vendor is offering against incidents, and the consequences of a loss of confidentiality or integrity (availability being well defined in current SLAs). With that in mind, this section briefly outlines the steps of the Risk Management Framework  and what roles the small business and the cloud vendor play in each step. Step 1: Categorize the information system. In this step, the small business acts as the Information Owner/Steward and identifies the impact of a loss of confidentiality, integrity, or availability for its data: low, moderate, or high. The cloud vendor acts as the Information System Owner and will declare what level of impact their system can be authorized to handle. Some cloud vendors might only be trusted to handle low-impact data, but can potentially provide this service at a lower cost than a vendor who can handle moderate- or high-impact data. Steps 2-3: Select and implement security controls. In these steps the set of security controls (mitigations) from NIST  are selected and implemented by a combination of the cloud vendor and the small business. NIST divides security controls into a number of families, and within each family, some controls will be more naturally the accountability of the business and some of the cloud vendor. Since each business has unique security needs, each will likely want to identify a baseline set of must-have security controls and select vendors which are known to implement those security controls. Furthermore, the business might be required to implement some security controls in order to make up for a lack of controls from the cloud service (e.g. implementing encryption in the transport layer to make up for the lack of a virtual private network). For each family of security controls, one party bears the primary accountability for selecting and implementing the controls from that category, and that accountability is summarized in Table Galois, Inc. Page 5 of 8
6 Table 1. Proposed Primary Accountability for NIST Security Control Families Primary Accountability Falls To The small business The cloud vendor A neutral third party Accountability is split roughly equally Families of Security Control awareness and training, planning, personnel security, and system and services acquisition configuration management, contingency planning, identification and authentication, incident response, maintenance, physical and environmental protection, system and communications protection, and system and information integrity security assessment access control, audit and accountability, media protection, and risk assessment Step 4: Assess the effectiveness of the security controls. NIST emphasizes the importance of the independence of a security assessor. Since this assessment can largely be shared among all the customers of a cloud service, and since the details of some identified weaknesses (arguably) should not be made known to the general public, a neutral third party should be available to assess the controls and to communicate the high-level results, including the level of residual risk, to the small businesses. Furthermore, businesses must be permitted to perform their own assessments since they might have unique security concerns. Step 5: Authorize the information system. The cloud vendor should provide a plan to its customers to correct any weaknesses. The small business must be accountable for determining the level of risk to the organization and determining if that level of risk is acceptable. Step 6: Monitor security controls. Ongoing monitoring is the shared responsibility of the cloud vendor, the small business, and the security assessor. A security impact analysis of proposed changes must be performed by the cloud vendor and reported to the small business so that the business can assess the impact of that change on its corporate risk. Furthermore, businesses should be notified in advance of any change in security and either have the option to opt-out of a change or be given time to transition to a different vendor. 7. CONCLUSION At the same time that cloud computing is becoming ubiquitous, computer security is increasingly a concern for all businesses large and small. However, current service-level agreements between small businesses and cloud vendors do not allow for risk-based analysis of security by those businesses. This paper discusses both the value and the vulnerabilities of the shift to cloud computing and argues for a new practice in cloud business arrangements: the Security Risk Agreement. Such agreements will provide both parties with a clear understanding of their roles and accountabilities to one-another. This will help to avoid the kinds of mismatched expectations about security controls that can hurt both cloud service providers and their customers, as was the case regarding technical details of Dropbox s encryption. This paper provides an initial overview of the roles of each party in the context of NIST's Risk Management Framework. Security Risk Agreements address the major barrier to adoption of cloud computing: business's trust that their data will be handled with an appropriate level of security Galois, Inc. Page 6 of 8
7 8. REFERENCES  Adams, S Microsoft s Cloud Infrastructure FISMA Certified. FutureFed.  Amazon Amazon S3 SLA. Amazon Web Service  Amazon Linux kernel vulnerability in certain EC2 AMIs. Amazon Web Services. amis/.  Amazon. Penetration testing [policy]. Amazon Web Services.  Bezemer, C. P. and Zaidman, A Multi-tenant SaaS applications: maintenance dream or nightmare?. Proceedings of the Joint ERCIM Workshop on Software Evolution (EVOL) and International Workshop on Principles of Software Evolution (IWPSE), New York, NY, USA, pp  Brenner, S. W Cybercrime and the U.S. criminal justice system. in Handbook of information security, vol. 2, H. Bidogli, Ed. NY, NY: John Wiley & Sons, Inc.  Dropbox How secure is Dropbox? https://www.dropbox.com/help/27.  Estberg, M Microsoft s cloud infrastructure receives FISMA approval. Global foundation services blog.  Feigenbaum, E A more secure cloud for millions of Google Apps users. Official Google Enterprise Blog.  Gartner Gartner says 60 percent of virtualized servers will be less secure than the physical servers they replace through  Gens, F Cloud Services User Survey, pt.2: Top Benefits & Challenges.  Google. FISMA-certified cloud applications for government. Google Apps for business.  Google. Google Apps for business online agreement  Google. Google Apps service level agreement.  Google. Software-as-a-service has built-in security advantages. Google Apps for business.  Gruschka, N and Jensen, M Attack Surfaces: A Taxonomy for Attacks on Cloud Services. Proceedings of the 2010 IEEE 3rd International Conference on Cloud Computing, Washington, DC, USA, pp  Krishnan, K Introducing Google Apps for Government. Official Google Blog.  Kundra, V State of Public Sector Cloud Computing. Chief Information Officers Council.  Li, H. C., Liang, P. H, Yang, J. M, and Chen, S. J Analysis on Cloud-Based Security Vulnerability Assessment. E-Business Engineering, IEEE International Conference on, Los Alamitos, CA, USA, 2010, vol. 0, pp Galois, Inc. Page 7 of 8
8  Mell, P and Grance, T Effectively and securely using the cloud computing paradigm.  National Institute of Standards and Technology Federal Information Processing Standards Publication, Standards for Security Categorization of Federal Information and Information Systems (FIPS PUB 199).  National Institute of Standards and Technology Recommended Security Controls for Federal Information Systems and Organizations (SP Revision 3).  National Institute of Standards and Technology Guide for applying the risk management framework to federal information systems (SP ).  ObReiman Kernel vulnerability affects EC2: NULL pointer dereference. AWS Developer Forums https://forums.aws.amazon.com/message.jspa?messageid=  Percival C AWS signature version 1 is insecure. Daemonic Dispatches.  Rane, P. Securing SaaS Applications. Information Systems Security.http://www.infosectoday.com/Articles/Securing_SaaS_Applications.htm.  Ristenpart, T., Tromer, E., Shacham, H., and Savage, S Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. Proceedings of the 16th ACM conference on Computer and communications security. New York, NY, USA, pp  Secunia Xen multiple vulnerabilities advisories. Secunia security.  Scholl, M. et al An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. National Institute of Standards and Technology.  Soghoian, C How Dropbox sacrifices user privacy for cost savings. Slight paranoia:  Soghoian, C In the matter of Dropbox, Inc. Request for investigation and complaint for injunctive relief. FTC Complaint.  Wojtczuk, R Subverting the Xen hypervisor Galois, Inc. Page 8 of 8