1 Cloud Computing Security ENISA Daniele Catteddu, CISM, CISA Convegno Associazione Italiana Information Systems Auditors
2 Agenda Introduction to ENISA ENISA objectives in Cloud computing Reaching the objectives 2009 Benefits, risks and recommendations for InfoSec Cloud Information Assurance Framework 2010 Security and resilience in Gov clouds: achieving an informed decision Conclusions
3 ENISA: Who are we? The European Network & Information Security Agency (ENISA) was formed in The Agency is a Centre of Expertise that supports the Commission and the EU Member States in the area of information security. We facilitate the exchange of information between EU institutions, the public sector and the private sector. 3
4 Focus ENISA assists Member States and the Commission in global issues that affect the European Community as a whole. ENISA contribute to the harmonization of appropriate technical and organizational security measures by providing expert advice. This is an advisory role and the focus is on prevention and preparedness. ENISA does NOT have any operational responsibilities either within the EU institutional framework or with respect to Member States. ENISA has no special role in the security process protecting EU institutions.
5 What is cloud computing ENISA s understanding Highly abstracted hw sw resources Near instant scalability and flexibility Near instantaneous provisioning Shared resources (hardware, database, memory, etc...) Service On demand, usually with a pay as you go billing system Programmatic management (e.g. through Web Services API)
6 What is cloud computing ENISA s understanding Cloud computing is not a new technology Cloud computing is a new business model It is a way of delivering computing resources
7 ENISA Cloud Computing Objectives Help business and governments to reap the cost and security benefits of cloud computing. While maintaining service availability, data confidentiality, integrity and privacy. 7
8 ENISA Cloud Computing Objectives Creating trust and trustworthiness through promoting best practice and assurance standards 8
11 Reaching the objectives ENISA Deliverables and Ongoing Activities Cloud Computing: Benefits, Risks and Recommendations for Information security 2009 Assurance framework 2009 Research Recommendations 2009 Gov-Cloud security and resilience analysis (2010) Common Assurance Maturity Model(CAMM) consortium (proposed) procurement and monitoring guidance for government cloud contracts. 11
12 Cloud Computing: Benefits, Risks and Recommendations for Information security 12
13 Highlights from the report 27 experts involved Mainly based on an SMEs requirements 8 security benefits 53 vulnerabilities considered 24 cloud specific risks identified Information Assurance (framework), Legal and Research recommendations 13
14 Security Benefits 14
15 Economy of Scale
16 Economies of scale and Security All kinds of security measures are cheaper when implemented on a larger scale (e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc) The same amount of investment in security buys better protection.
17 Other benefits of scale Multiple locations by default -> redundancy and failure independence Edge networks: content delivered or processed closer to its destination Staff specialization & experience Cloud providers big enough to hire specialists in dealing with specific security threats.
18 Improved management of updates and defaults Updates can be rolled out much more rapidly across a homogenous platform Default VM images and software modules can be updated with the latest patches and security settings Snapshots of virtual infrastructure (in IaaS) to be taken regularly and compared with a security baseline.
19 The Risks
20 Very high value assets Most risks are not new, but they are amplified by resource concentration Trustworthiness of insiders. Hypervisors - hypervisor layer attacks on virtual machines are very attractive. More Data in transit (Without encryption?) Management interfaces big juicy targets
21 Loss of Governance The client cedes control to the Provider on a number of issues effecting security: External pen testing not permitted. Very limited logs available. Usually no forensics service offered No information on location/jurisdiction of data. Outsource or sub-contract services to third-parties (fourth parties?) SLAs may not offer a commitment to provide the above services, thus leaving a gap in security defences.
22 Lock in Few tools, procedures or standard formats for data and service portability. Difficult to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. Potential dependency of service provision on a particular CP.
23 Compliance Challenges Cloud Provider cannot provide evidence of their own compliance to the relevant requirements Cloud Provider does not permit audit by the Cloud Customer In certain cases, using a cloud implies certain kind of compliance cannot be achieved
24 Legal and contractual risks Data in multiple jurisdictions, some of which may be risky. Lack of compliance with EU Data Protection Directive Potentially difficult for the customer (data controller) to check the data handling practices of the provider Multiple transfers of data exacerbated the problem Subpoena and e-discovery Confidentiality and Non-disclosure Intellectual Property Risk Allocation and limitation of liability
25 Isolation failure Storage (e.g. Side channel attacks see Memory Virtual machines Entropy pools (http://bit.ly/41siin) Resource use (e.g. Bandwidth)
26 RESOURCE EXHAUSTION Overbooking Underbooking Caused by: Resource allocation algos Denial of Service Freak events
27 Key management Key management is (currently) the responsibility of the cloud customer Key provisioning and storage is usually off-cloud One key-pair per machine doesn t scale to multiple account holders/rbac Credential recovery sometimes available through management interface (protected by UN/PWD by) Copies of VM images may contain keys if not wellmanaged
29 Cloud Information Assurance Framework Increasing transparency through a minimum baseline for: comparing cloud offers assessing the risk to go Cloud reducing audit burden for CP and security risks
30 Cloud Information Assurance Framework An example Network architecture controls Well-defined controls are in place to mitigate DDoS (distributed denial of-service) attacks e.g. o o Defence in depth (traffic throttling, packet black-holing, etc..) Defences are in place against internal (originating from the cloud providers networks) attacks as well as external (originating from the Internet or customer networks) attacks. Measures are specified to isolate resource usage between accounts for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc. The architecture supports continued operation from the cloud when the customer is separated from the service provider and vice versa (e.g., there is no critical dependency on the customer LDAP system).
31 Research recommendations BUILDING TRUST IN THE CLOUD Certification processes and standards for clouds Return on security investments (ROSI) the measures cloud computing can enable to improve the accuracy of ROI for security Techniques for increasing transparency while maintaining appropriate levels of security Tagging, e.g., location tagging, data type tagging, policy tagging Privacy preserving data provenance systems, e.g., tracing data end-to-end through systems End-to-end data confidentiality in the cloud and beyond: Encrypted search (long term) Encrypted processing schemes (long term) Encryption and confidentiality tools for social applications in the cloud Higher assurance clouds, virtual private clouds, etc
32 Research recommendations DATA PROTECTION IN LARGE-SCALE CROSS- ORGANIZATIONAL SYSTEMS The following areas require further research with respect to cloud computing: Data destruction and lifecycle management Integrity verification - of backups and archives in the cloud and their version management Incident handling - monitoring and traceability Dispute resolution and rules of evidence International differences in relevant regulations, including data protection and privacy Legal means to facilitate the smooth functioning of multinational cloud infrastructures Automated means to mitigate problems with different jurisdictions.
33 Governments recommendations 2009 Public clouds are (usually) not suitable for critical government applications. Clearly define international differences in DP legislation. Should there be breach notification requirements on cloud providers....
34 Government towards the Cloud 34
35 Governments and the Cloud DK UK... Gov Agencies and Public Organizations around the globe are moving non-critical applications towards a "cloud approach". In Europe we have some fast adopters, i.e. Denmark and UK, announcing/planning to move into the cloud. Australia USA In the short-medium term (1 to 3 years) an increasing number of Public Organizations, in EU Member States, will consider/adopt cloud computing. Singapore Japan 35
36 2010 Security and resilience in Gov clouds: achieving an informed decision
37 Objectives and scope to support MSs in elaborating their cloud strategy to guide Public Bodies in defining their risk profile to evaluate S.W.O.T. of cloud computing to provide good practices The main focus is the impact on resilience and security of services.
38 Security and resilience in Gov clouds: achieving an informed decision 3 scenarios considered: a local healthcare authority implementing the electronic healthcare records and other e- services, a local public administration rolling out new services for the citizens and rationalizing internal IT services, and finally, a Ministry planning the creation of governmental cloud as a business incubator 38
39 Business/Operational, Legal and Regulatory requirements Security and Resilience requirements IT services architectural options and delivery models COMPARATIVE RISK ASSESSMENT (SWOT or RISK ANALYSIS & ASSESSMENT) Select IT solution Identify threats, weaknesses Prepare Request for Proposal (RpF) Select Partner-Provider Risk treatment
40 Security and Resilience parameters Preparedness Risk Analysis and Assessment Prevention and Detection Patch Management Access Control and Accountability Supply Chain Business continuity Service Delivery Availability and Reliability Scalability and Elasticity Cloud Access Recovery and response Legal and regulatory compliance
41 Community Cloud Strengths Common requirements and constraints and risks More bargaining power as a group (with the cloud provider) Ability to be a walled garden Membership vetting according to the trustworthiness of the candidate If based on federation -> edge networks Private Cloud Full transparency and control over legal requirements (e.g. Geography) Ability to implement your own practices (e.g. risk analysis and assessment) Possibility to fully monitor all security events, BCP testing Auditablilty Priority in service resumption Public Cloud Strong security and resilience capabilities (e.g. prevention and detection, patch management, availability and reliability, tolerance and elasticity, performance, response and recovery, business continuity and physical security CAVEAT: these strength are directly related with the scale of the provider
42 Weaknesses Community Cloud difficult to agree on security baselines, the client-based common logging formats, etc compared to a private cloud, you are a bigger target. access control and authentication are weakened Private Cloud no advantage of economies of scale potentially less tolerance to malicious attacks less comprehensive redundancy regime, no geo-redundancy less flexibility Public Cloud lack of control on the access control systems, the lack accountability (audits are not allowed). you need negotiations power to be able to ask the right info the provider. external forensics very difficult geo location constrains as a weakness: data cannot leave the country
43 Opportunities Community Cloud common ToR and security policies, standards etc... Potential flexibility of security policies closedness e.g. more strict security Public Cloud Risk Analysis and Assessment, Penetration testing, Real time security monitoring In order for a public cloud to take advantage of these opportunities a the following measure should be in place: 1) full control on asset inventory, 2) detailed physical assets, information and services classification, 3) integration between risk analysis/assessment and real time security monitoring processes, 4) effective screening of employees Public Cloud In a private cloud, users and applications oriented monitoring mechanisms can be implemented making possible a quick adjustment of resources to meet peaks in the demand. Furthermore, security events of interest can be fully monitored.
44 Community Cloud Lack of exit criteria Community might grow too quickly Threats Harder to predict resource usage (than private cloud) Failure of isolation mechanisms (not compared to public) Difficulty of identifying the legal entity Public Cloud Lack of legal and regulatory compliance (data retention, forensics, reporting). Attractive target for criminals and Insiders Isolation failure, information leakage, illegal monitoring Lack of linkability and accountability in case illegal activities poor requirements definition and asset classification. You might incur in supplementary multiple jurisdiction Change of control (Risk of provider acquisition) Private Cloud politically motivated attacks damages to reputation Big brother effect Poor requirements definition and asset classification may results in loss of security and integrity when scaling from a private cloud to an hybrid one. Inadequate definition of the contracts with business partner(s) and lack of monitoring of the contract execution may be critical in relation with the size of the provider.
45 Key messages Private and community clouds appear to be the solution that best fits the needs of public bodies they offer the highest level of governance, control and visibility. Baer in mind that if a private/community cloud does not reach the necessary infrastructural critical mass, most of the resilience and security benefits of the cloud model will not be realised. Public cloud is the option that offers potentially the highest level of service availability at lowest cost but currently its adoption should be limited to non sensitive applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy.
46 Conclusions Cloud computing can represent an improvement in security and resilience Transparency is crucial: users must be given a means to assess and compare provider security practices In the current state of the art, migrating critical and sensitive applications and data to the cloud is still very risky Much more effort is required to achieve security levels required for higher assurance applications in the cloud For once we can build security in by design, let s not miss the chance
47 The Penultimate Slide Watch out for the results of ENISA s cloud security study out end of November (http://)
48 The Final Slide Contact: Daniele Catteddu
49 Contact Daniele Catteddu European Network and Information Security Agency Science and Technology Park of Crete (ITE) P.O. Box Heraklion - Crete Greece
ENISA Cloud Computing Security Strategy Dr Giles Hogben European Network and Information Security Agency (ENISA) What is Cloud Computing? Isn t it just old hat? What is cloud computing ENISA s understanding
November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the
CYBER SECURITY OPERATIONS CENTRE APRIL 2011, UPDATED SEPTEMBER 2012 Cloud Computing Security Considerations Table of Contents Cloud Computing Security Considerations... 3 Overview of Cloud Computing...
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
International Telecommunication Union ITU-T X.1601 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2014) SERIES X: DATA NETWORKS, OPEN SSTEM COMMUNICATIONS AND SECURIT Cloud computing Overview of cloud
Information Technology Outsourcing 2nd Edition Global Technology Audit Guide (GTAG ) 7 Information Technology Outsourcing 2nd Edition June 2012 GTAG Table of Contents Table of Contents...1 Executive Summary...2
FRAUNHOFER RESEARCH INSTITUTION AISEC CLOUD COMPUTING SECURITY PROTECTION GOALS.TAXONOMY.MARKET REVIEW. DR. WERNER STREITBERGER, ANGELIKA RUPPEL 02/2010 Parkring 4 D-85748 Garching b. München Tel.: +49
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
WHITEPAPER CLOUD Possible Use of Cloud Technologies in Public Administration Version 1.0.0 2012 Euritas THE BEST WAY TO PREDICT THE FUTURE IS TO CREATE IT. [Willy Brandt] 2 PUBLISHER'S IMPRINT Publisher:
Semester: Title: Cloud computing - impact on business Project Period: September 2014- January 2015 Aalborg University Copenhagen A.C. Meyers Vænge 15 2450 København SV Semester Coordinator: Henning Olesen
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
A Guide to Implementing Cloud Services Better Practice Guide SEPTEMBER 2012 AGIMO is part of the Department of Finance and Deregulation Disclaimer This document has been prepared by AGIMO in consultation
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
Information Technology Outsourcing GTAG Partners AICPA American Institute of Certified Public Accountants www.aicpa.org CIS Center for Internet Security www.cisecurity.org CMU/SEI Carnegie-Mellon University
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
CHILDREN AND FAMILIES EDUCATION AND THE ARTS ENERGY AND ENVIRONMENT HEALTH AND HEALTH CARE INFRASTRUCTURE AND TRANSPORTATION The RAND Corporation is a nonprofit institution that helps improve policy and
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
White Paper Security Recommendations for Cloud Computing Providers (Minimum information security requirements) www.bsi.bund.de Contents Contents Preamble 3 The BSI Serving the Public 5 1 Introduction 7