Cloud Security Alliance New Zealand Contribution to the Privacy Commissioner. 23 February 2012

Transcription

1 Cloud Security Alliance New Zealand Contribution to the Privacy Commissioner 23 February 2012

2 Foreword Cloud Security Alliance New Zealand Chapter is grateful to Privacy Commissioner for giving an opportunity to contribute to User Guidance to Cloud Computing. We would like to contribute to this cause through our publicly and freely available security research based on existing industry standards and best practices. The contribution to draft document is based on its generalised structure, thus we recommend description of the document at the specialised layers. Regards Jim Reavis Executive Director CSA Rizwan Ahmad Philip Whitmore Eric Svetoc Daniele Catteddu Managing Director CSA, Europe and Middle East John Martin Dean Carter Warren Schimith

3 1 What is cloud computing The meaning of Cloud Computing needs to be grasped entirely to apply the privacy rules, otherwise, the user, cloud service provider and stakeholders will not be able to determine the actual roles and responsibilities that exist within the cloud layers, and who is associated with those roles and responsibilities. It is important that cloud computing may not be evaluated literally, but it should be understood technically, which will make implementation of legal and regulatory controls easier. There are various definitions publically available with NIST , ENISA, ITU-T and Cloud Security Alliance documents. In this document, the definition of NIST is elucidated as a reference definition and explained in the terms that can be understood by the Cloud User (CU), Cloud Service Provider (CSP) and stakeholder. 1.1 Stack of layers The technical definition provided by NIST refers to a stack of layers dependant on each other. These layers are Software as a Service, Platform as a Service and Infrastructure as a Service, and are based on a virtualised 1 platform provided by the physical data centre. The explanation of the layers is technically defined in NIST The NIST definition (as with the Cloud Security Alliance description of cloud computing and ENISA description of responsibility of Cloud User (CU) and Cloud Service Provider (CSP) layers) also provides an understanding of its architecture and division of responsibility NIST Definition 2 Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models Essential Characteristics 3 1. On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. 2. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). 3. Resource pooling. The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacentre). Examples of resources include storage, processing, memory, and network bandwidth. 1 Virtualised environment does not mean that the data does not have the Persistent state, it can be stored at the space given by the IaaS Characteristics are meant to differentiate it from existing services and cloud terminologies in the world. Characteristics may be taken as a whole.

4 4. Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. 5. Measured service. Cloud systems automatically control and optimise resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilised service Service Models 1. Software as a Service (SaaS). The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure 4. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g. web-based ), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. 2. Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. 3. Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls) Deployment Models 1. Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organisation comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organisation, a third party, or some combination of them, and it may exist on or off premises. 2. Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organisations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and 4 A cloud infrastructure is the collection of hardware and software that enables the five essential characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and typically includes server, storage and network components. The abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits above the physical layer.

5 operated by one or more of the organisations in the community, a third party, or some combination of them, and it may exist on or off premises. 3. Public cloud 5. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organisation, or some combination of them. It exists on the premises of the cloud provider. 4. Hybrid cloud 6. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). 1.2 Understanding the Stack for SaaS, PaaS and IaaS Cloud Layers In cloud architecture, a relationship exists between the cloud layers and cannot be ignored due to dependencies. The Cloud Security Alliance Cloud architecture in figure1 below illustrates the relationships and dependencies between the cloud computing layers. These stacks of layers are interdependent on each other, and level and nature of responsibilities for those who use and provide services on each of these layers changes. In the figure, IaaS is the foundation layer on which PaaS and SaaS exists. Simply, it will be pertinent to say that SaaS is dependent of PaaS and PaaS is dependent on IaaS. Due to dependency and inheritance, the characteristics of layers are inherited along with the risks. It is important to note that commercial cloud providers may not neatly fit into the layered service model. The model is a prototype to understand security, privacy and legal issues by mapping real world services to an architectural framework. Figure 1: Cloud Security Alliance Stack of Cloud Layers 7 5 For privacy, the main concern is public cloud; these are transnational and located anywhere in the world. 6 Hybrid clouds can be based on public and private clouds. These are also important while considering the privacy based on interoperability, sovereignty of public clouds. In these cases the contractual terms needs a balance and cloud service provider must provide the transparency to the users through disclosure of information. 7 See cloud security alliance reference document v3

6 SaaS: It is a CSP which delivers software as a service to user. It is his responsibility to develop the software, using secure Platform (Paa-S 8 ) to compile the software and use an infrastructure (Iaa-S) to host it. Therefore, SaaS is dependent on PaaS and IaaS, otherwise delivery of any software as a service might not be possible. There are two use cases of SaaS: 1 The SaaS provider will own PaaS and IaaS and provide services to the user, for example CRM solutions such as Salesforce. The CU is the Data Controller and CSP is Data Processor. 2 There are cloud service providers only providing SaaS 9 but hosting their applications on another cloud service provider. For example A is a SaaS provider and can use Amazon PaaS and IaaS to host its application. In this case where the SaaS provider is using a different IaaS provider, he will be Data Controller for IaaS provider and Data Processor for CU. ENISA has referred and apprised about the roles and responsibilities during interaction of cloud user and provider that differ on each layer. It is also helpful in determining who will implement the privacy controls, administratively, operationally and in software. Table 1: Responsibility at SaaS CU Responsibility Jurisdictional Risk assessment Compliance with data protection law Identity Management Access Control Policy Authentication SaaS Layer CSP Responsibility Ownership of physical structure Physical security Management of software security Management of network security OS patch management Incident response and resiliency Monitoring and Maintenance Compliance with standards and legal regulation PaaS: it is cloud service provider which delivers platform for development of software to SaaS providers or to any user. The PaaS layer is dependent on the IaaS layer for storage, API etc. Windows Azure is one of the examples. Table 2: Responsibility at PaaS PaaS Layer CU Responsibility CSP Responsibility Maintenance of Application Ownership of physical structure Identity Management Physical security Compliance to privacy acts and data protection laws Management of network security Authentication OS patch management Development of software Incident response and resiliency Testing of Software Monitoring and Maintenance Maintenance of software and software security Compliance with standards and legal regulation Compliance with law related to malicious software 8 Paa-S S is for service and it is added to platform when any cloud service provider is actually providing the service to its users. 9 The SaaS provider may try to avoid high cost and may choose non-accredited IaaS cloud service provider to host their application, which in the long run may lead to loss of data.

7 IaaS: It is cloud service provider which delivers infrastructure to run your operating systems, store data etc. It is only dependant on the physical medium of data centre. It is foundation layer for PaaS and IaaS Table 3: Responsibilities at IaaS CU Responsibility Maintenance of Application security policy Identity Management Compliance to privacy acts and data protection laws Authentication Testing of Software Maintenance of software and security Compliance with law related to malicious software Configuration of logical security platform Configuration and maintenance of guest operating system IaaS Layer CSP Responsibility Ownership of physical structure Physical security Management of network security Incident response and resiliency Monitoring and Maintenance Compliance with standards and legal regulation Tables 1, 2 and 3 illustrate the amount of control exercised by CU and CSP. The level of control of CSP decreases from SaaS to IaaS giving control to CU. The control of data is in the hands of CU (data controller) in each layer and CSP is data processor. The privacy controls are implemented differently on each layer. At SaaS, the software is developed by the SaaS provider, and it is their responsibility that the technical privacy controls need to be implemented by design. Thereafter, SaaS is used by CU and data is entered. CSP deals with the backend data and interoperability, and security is their responsibility. Similarly, at PaaS, the CU develops the software, and it is their responsibility to have privacy controls embedded by design in the software, as is the case with IaaS. 2 Risk Analysis The performance of a risk analysis before the cloud services are adopted by the user is important. The risk analysis in cloud domain is not necessarily restricted to risk management practices and is expanded to analyse the legal risks also. In this document, risk analysis is limited to the Office of the Privacy Commissioner s draft requirements; however, an example of a comprehensive risk analysis document has been published by ENISA 10. The pre-adoption assessment of cloud risk is the CU s responsibility. 2.1 Deployment Models and Privacy The risk to privacy leakage emanates from transnational nature of public and hybrid clouds, however cloud service providers (CSP) residing in one jurisdiction with the cloud user (CU) can easily be controlled through local law and regulatory compliance. Public cloud computing spread over different jurisdiction creates following risks:- 1. New Zealand subjects are not protected under the CSP jurisdiction 10 See

8 2. CU is at the non-negotiable terms and dependant on the click wrap agreements, where the choice of jurisdiction is often based on where the data centre or the headquarters of the CSP is situated 3. Government agencies in another jurisdiction have extensive or unlimited powers to access the data without or with CU knowledge 4. The litigation is merely impossible to pursue Jurisdiction Risk Analysis and What Pre-Adoption Questions can be asked by user In cloud, CU is the owner of the data and it is therefore their responsibility to analyse the risks before acquiring services from a CSP. It is important for the CU to understand the security level and classification of their data. They should be vigilant and cynical in performing due care assessment of their data and therefore choose the appropriate cloud layer. The CU can ask following questions regarding the location of information 11 : 1. Is the location of the CSP 12 data centre stated? 2. Is the country where the data is located high risk or low risk 13? 3. Is the CSP willing to provide a choice of jurisdiction to CU? Does the CSP allow the users to specify which of your geographic locations their data is allowed to traverse into/out of (to address legal jurisdictional considerations based on where the data is stored vs. accessed)? 5. Does the privacy legislation in the country of CSP residency mandatorily require the CSP to provide adequate level of protection as aligned with EU data protection directives and the New Zealand Privacy Act? 6. Does New Zealand have bilateral or multilateral agreements with the CSP country for data protection 15? 7. Is the CSP SSAE or ISAE 3402 certified, and does the CSP provide copy of these reports to the CU for their assessment? 8. Does the CSP undergo a privacy impact assessment under the ISO standard? 9. Does the CSP include a protection of privacy clause 17 in their contracts or online agreements? 10. Does the CSP delete the data when a user is deprovisioned, or does it retain the data for some specific period of time? 11. Does the CSP perform secure deletion according to international best practices? 12. Does the CSP select and monitor outsourced providers in compliance with laws in the country where the data is processed and stored and transmitted? 11 Checklist, paragraph CSP also gives the choice of place where the data is processed for example services from Amazon, Rackspace etc. 13 See NZ list or World Bank good governance indicators. During risk assessment it will give an idea about the condition of rule of law, regulatory quality, voice and accountability, corruption in a specific country where data center is located. World bank good governance data is available at 14 It is recommended that jurisdiction for any legal document should favour the CU. 15 Please see NZISM 2.2 Agencies should not engage industry for the provision of off-site information technology services and functions in countries that New Zealand does not have a multilateral or bilateral security agreement with for the protection of classified information of the government of New Zealand. 16 SSAE 16 is comprised of SOC1, SOC2 and SOC3 reports. The recommended report for assurance and risk analysis is SOC2. SOC2 audits the datacentre under security core principles confidentiality, integrity and availability. SOC3 is the trusted seal after successful SOC2 reports. 17 Section 95b of privacy act 1988 au can be referenced.

9 13. Does the CSP inform users in case of data migration to partner cloud provider for resiliency? 14. Do Partner CSPs have the same security compliance standard as the primary cloud provider? 15. Does the CSP provide users with a role definition document clarifying their administrative responsibilities vs. those of the user? 16. Does the CSP follow ISO for record keeping? 2.2 Responsibility In these cloud layers, there is a change of responsibility between the CU and the CSP. The data protection and privacy controls are a joint responsibility of both. The main responsibility will be on the CU shoulders as the CU will be collecting data, updating and deleting the data. While the logical layer for control of data is the CU responsibility; the transition and deletion of data on physical medium will be the responsibility of the CSP Questions that need to asked by the CU The questions below cover the areas of security of information that a CU should ask a CSP, and address the following topics in the Checklist included in the Office of the Privacy Commissioner s draft: Security lock it down Use and Disclosure who sees the information and what will it be used for Ability to exit, and deletion of information. Security and Privacy Policy Data Governance Do your information security and privacy policies align with particular industry standards (e.g. ISO-27001, ISO-22307, CoBIT)? Is your Privacy Policy aligned with industry standards? Do you have agreements which ensure your providers adhere to your information security and privacy policies? Can you provide evidence of due diligence mapping of your controls, architecture and processes to regulations and/or standards? Do you notify your users when you make material changes to your information security and/or privacy policies? Ownership / Stewardship Classification Do you follow a structured data-labelling standard (e.g. ISO 15489, Oasis XML Catalog Specification, CSA data type guidance)? Do you provide a capability to identify virtual machines via policy tags/metadata (e.g. tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country, etc.)? Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (e.g. TXT/TPM, VN-Tag, etc.)? Do you have a capability to use system geographic location as an authentication factor?

10 Handling / Labelling / Security Policy Information Leakage Risk Assessments Information System Regulatory Mapping Risk Assessments Can you provide the physical location/geography of storage of a user s data upon request? Do you allow users to define acceptable geographical locations for data routing or resource instantiation? Are policies and procedures established for the labelling, handling and securing of data? Do you have controls in place to prevent data leakage or intentional/accidental compromise between users in a multi-user environment? Do you have a Data Loss Prevention (DLP) or extrusion prevention solution in place for all systems which interface with your cloud service offering? Do you provide security control health data in order to allow users to implement industry standard Continuous Monitoring (which allows continual user validation of your physical and logical control status?) Do you have the ability to logically segment or encrypt user data such that data may be produced for a single user only, without inadvertently accessing another user s data? Do you have capability to logically segment and recover data for a specific user in the case of a failure or data loss? Use of information Intellectual Property Do you have policies and procedures in place describing what controls you have in place to protect users intellectual property? If the utilisation of user services housed in the cloud is mined for cloud provider benefit, are the users IP rights preserved? If the utilisation of users services housed in the cloud is mined for cloud provider benefit, do you provide users the ability to opt-out? Incident Response Security and privacy Breach Notifications 18 Incident Response Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls? Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques? Do you enforce and attest to user data separation when producing data in response to legal subpoenas? Do you inform users of any security breach? 18 Article 13a(3)EU Directive 2009/140/EC, In USA, almost every state has enacted the law for disclosure of breach Cal. Civ. Code 56.06, , ,

11 Are systems in place to monitor for privacy breaches and notify tenants expeditiously if a privacy event may have impacted their data? Nondisclosure Agreements Third Party Agreements Liability Legal Requirements Are the requirements for non-disclosure or confidentiality agreements reflecting the organisation's needs for the protection of data and operational details identified, documented and reviewed at planned intervals? Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed and stored and transmitted? Do you select and monitor outsourced providers in compliance with laws in the country where the data originates? Is your organisation insured by a third party for losses? Do your organisation s service level agreements provide users remuneration for losses they may incur due to outages or losses experienced within your infrastructure? Retention Policy Removal of User from system access Secure Disposal Nonproduction Data Data Retention Do you have technical control capabilities to enforce user data retention policies? Do you have a documented procedure for responding to requests for user data from governments or third parties? Do you have controls in place ensuring timely removal of systems access which is no longer required for business purposes? Is timely deprovisioning, revocation or modification of user access to the organisations systems, information assets and data implemented upon any change in status of employees, contractors, customers, business partners or third parties? Do you support secure deletion (e.g. degaussing / cryptographic wiping) of archived data as determined by the tenant? Can you provide a published procedure for exiting the service arrangement, including assurance to sanitise all computing resources of user data once a customer has exited your environment or has vacated a resource? Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?