Security standards for cloud usage

Transcription

1 DRAFT, Version 0.9, March 2013

2 ii About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at Authors Dr. Marnix Dekker, Matina Lakka Contact For contacting the authors please use resilience@enisa.europa.eu For media enquires about this paper, please use press@enisa.europa.eu. Acknowledgements This work was done in collaboration with Antonio Ramos (Leetsecurity). Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. European Network and Information Security Agency (ENISA), 2013

3 iii Executive summary TODO: We provide an overview of standards relevant for cloud computing security. We map the standards to a set of use cases.

4 iv Table of Contents Executive summary... iii 1 Introduction Cloud service model Use cases Standards Mapping standards Conclusions References Related ENISA papers Legislation Annex: Full list of standards HTML / XML WSDL / SOAP OAuth SAML OData OVF OpenStack CAMP CIMI ODCA SUoM SCAP CSA CCM EuroCloud Star Audit EuroPriSe ISO ITIL SOC Tier Certification... 25

5 Introduction We provide an overview of standards relevant for cloud computing security. Besides giving a brief summary of different standards, and explaining how they work, we also provide two maps which show the main characteristics of standards and in which use cases they become relevant for cloud customers. This work is done in the context of the cloud strategy issued in 2012 by the EC which calls for ENISA to support the EC in listing certification schemes and standards. This is an intermediate result which merely lists and provides an overview of standards relevant for cloud computing customers, from a security perspective. 1.1 Target audience This document is aimed at CIO s, and architects in enterprises and SMEs in the EU, and at CIO s and decision makers in government organizations in the EU. It may be of interest also for industry experts and industry associations. 1.2 Scope This document looks at standards which are relevant for cloud customers when adopting or using cloud computing services. Standards we included in this document are security standards, when relevant for cloud computing users, and cloud computing standards, when relevant for cloud computing users from a security perspective. This means that we include interoperability standards when relevant for the security of customers. We ignore standards below the transport layer (Ethernet, TCP/IP, TLS/SSL, HTTP, SMTP, et cetera). We also ignore standards for providers about how to design and develop cloud services, which have direct use for customers. For example, there may be standards for cooling server racks which may be relevant when building cloud services, but we exclude because they are not directly relevant for customers. 1.3 Structure of this document In Section 2 we provide an overview of the different technologies involved in the different types of cloud computing. In Section 3 we analyse the use cases in the procurement lifecycle. In Section 4 we present our list of standards, and in Section 5 we introduce two types of standards maps: One map shows which standards address which technological areas, and other characteristics of standards (openness, adoption rate, et cetera). In the other map we show which standards address which use cases. We conclude with some observations about gaps and overlaps.

6 Cloud service model Cloud computing services are often divided in three types: Software as a Service (SaaS): In SaaS, the provider delivers full-fledged software or application, via the internet. Applications range from servers, clients, document editors, or customer relationship management systems. SaaS services can often be accessed with a browser or a web services client. Platform as a Service (PaaS): In PaaS, the provider delivers a platform for customers to run software applications on, via the internet. The applications that customers can run on these platforms ranges from scripts (PHP, Python) or byte code (Java servlets, C#). Often PaaS providers also provide a software development tool to develop applications for the platform. Examples include Google App engine, Microsoft Azure, Amazon Elastic Beanstalk. Infrastructure as a Service (IaaS): In IaaS the provider delivers storage (virtual databases) or computing resources (virtual hardware), via the internet. Examples include Amazon s Elastic Compute Cloud, Google s Compute Engine, Amazon Simple Storage Service, Google Cloud Storage, Microsoft Windows Azure Storage, Rackspace, Amplidata, cloud.bg and VPS.net We explain the different technologies involved in the different types of cloud services. Cloud Service Model IaaS PaaS SaaS OS Application Customer Provider Virtual Machine Hypervisor Data client Application server Application Facilities (Network, Housing, Cooling, Power) Fig 1. Map of different technologies in the different types of cloud services.

7 Use cases In this section we look at the overall procurement lifecycle and we identify 7 high-level use cases where the customer interacts with a cloud service provider. We stress that this is a limited list of use cases, and that it is not an exhaustive list of use cases. In each of these use cases standards may apply. Use Cases UC1:Select cloud service UC2:Agree contract/sla Cloud user UC3:Migrate/ Integrate UC4:Operate/ Manage Cloud provider UC5:Monitor UC6:Audit/ Inspect UC7:Exit/ Migrate Fig 2. Business use case diagram with 7 high-level use cases Auditor UC1: Select cloud service: Customer wants to decide about a cloud service to use (if at all). User could issue a request for proposal and compare offers, and/or carry out a due diligence process on existing offers. User may require parts of the provider or the service to be certified. UC2: Agree contract/ Service Legal Agreement (SLA): Customer wants to agree on a contract and an SLA defining detailed service levels and agreed procedures between the customer and the provider. UC3: Migrate/Integrate: Customer wants to migrate some existing application and/or data integrate the cloud service with existing services systems and applications. UC4: Operate/manage: Customer wants to manage and configure the service. UC5: Monitor: Customer wants to monitor the service, during operation, for example to know about issues, service levels, et cetera. UC6: Audit/Inspect: Customer wants to audit or inspect the service, for example post-incident or to show (as part of a audit of the customer s organisation). UC7: Exit/Migrate: Customer wants to exit the contract, and migrate its application or data to another provider.

8 Standards In this document for each standard we will look at the following aspects: the estimate size of the user base, either end-users or organization. We distinguish three levels: o *** globally thousands of organizations worldwide o ** widely - hundreds of organizations, regional or worldwide o * limited tens of organizations or less, for example in pilots Certification/auditing whether or not there is a certification framework, to certify with the standard, or, alternatively, whether or not it is common to have third-party audits to certify. We distinguish between three levels: *** Audits are common and certification frameworks exists. ** There are audits against the standard, no formal certification scheme. * De-facto standard. There is no audit or certification against it. - whether or not the standard is public and open, whether or not the review process if public and open. We distinguish three levels: *** Open consultation for drafts (like W3C, IETF, OASIS, etc.), open access to final versions (or a small fee, for example less than 100 euro). ** Consultation is closed/membership, but there is open access to the standard. * The standard is not open to the public and access to the standard is restricted or to purchase a useful standards set you will spend more than 100 euro. the use cases where this standard plays a role (ranging from UC1, UC7) the kind of technology the standard applies to (IaaS, PaaS, SaaS) In this document we focus on the following standards. This list is based on input from ETSI working group on standards and the list of cloud standards published by NIST. HTML / XML WSDL/SOAP OAuth SAML OData OVF OpenStack CAMP CIMI ODCA SuoM SCAP CSA CCM Eurocloud Star Audit EuroPrise ISO ITIL SOC Tier Certification For the sake of readability the list of standards is included as an annex.

9 UC7 (Exit/migrate) UC6 (Audit/inspect) UC5 (Monitor) UC4 (Operate/manage) UC3 (Migrate/integrate) UC2 (Agree contract) UC1 (Select cloud service) Mapping standards In this section we present two maps of standards, showing: - Which standards address which use cases - Which standards have which characteristics Table 1 shows which standards address which use cases: HTML/XML WSDL/SOAP x x OAuth x x x SAML x x x OData x x x OVF x x x OpenStack x x x CAMP x x x x CIMI x x x ODCA SUoM x x SCAP x CSA CCM x x EuroCloud Star Audit x x EuroPrise x x ISO x x ITIL x x SOC x x Tier Certification x x Table1. by the standard

10 Certification Organization Facilities Saas Paas IaaS In Table 2 we show the application domain of the different standards, and their general characteristics, in terms of adoption, certification and openness. Other characteristics HTML/XML x x *** * *** WSDL/SOAP x x *** * *** OAuth x *** * *** SAML x *** * *** OData x x * * *** OVF x *** * *** OpenStack x x ** * ** CAMP x * * ** CIMI x * * *** ODCA SUoM x * * ** SCAP x x x x *** * ** CSA CCM x x * *** *** EuroCloud Star Audit x x x * *** * EuroPrise x x * *** ** ISO x x *** *** ** ITIL x ** *** ** SOC x x ** *** ** Tier Certification x ** *** * Table2. Characteristics of the standards

11 Conclusions //TODO //Note about data protection there does not seem to be a standard for privacy settings or security measures to protect personal data. Maybe interesting for future work. //Note about LEA access request there is sometimes talk about standardizing data access requests, forensics. This may be interesting for future work. In this document, we focus on the common use cases involving the customer. //Note possible weak areas there are some use cases where very few standards exists: UC2. Agree contract / SLAs UC3. Migrate / integrate for PaaS and SaaS models UC4. Operate / manage for PaaS and SaaS models UC5. Monitoring UC7. Exit / migrate PaaS and SaaS models NOTE: Could be interesting the idea of services labelling introduced by the EU Cyber-security strategy

12 References 7.1 Related ENISA papers The 2009 ENISA Cloud computing risk assessment assess risks and benefits for SMEs who consider adopting cloud computing. The 2011 ENISA report on security and resilience of Governmental clouds provides guidance for government organisations for selecting cloud computing services. The 2012 ENISA report on secure procurement of cloud computing services, focuses on monitoring service levels of cloud computing services. The 2012 ENISA report on National Cyber Security Strategies aims to identify the most common and recurrent elements and practices of national cyber security strategies (NCSSs), in the EU and non-eu countries. //Eu CLOUD PARTNERSHIP 7.2 Legislation RELEVANT LEGISLATION

13 Annex: Full list of standards In this section we describe the different standards. 8.1 HTML / XML HyperText Markup Language (HTML) / Extensible Markup Language (XML) World Wide Web Consortium: HTML Working Group ; and XML Core Working Group Open: Development Discussion is kept between W3C members (and potentially, non-members experts invited by the Group Chair). Availabiltiy Protocol is freely available to download from XML Protocol Working Group UC3. Migrate/Integrate As standard de facto of Internet, the use of HTML / XML allows user to move from one provider to another without, because all providers are going to support both. IaaS and SaaS Both languages makes possible communications between elements. Because of this they also affects to API/GUI element. The use of these languages is not accredited nor certified by any body, but as they have become W3C Recommendation, they are used these days as the basis for Internet based services. Globally Millions of companies use these standards, as XML has come into common use for the interchange of data over the Internet (RFC 3023 gives rules for the construction of Internet Media Types for use when sending XML)

14 Description 1 HTML is the main markup language for creating web pages and other information that can be displayed in a web browser. HTML elements form the building blocks of all websites. HTML allows images and objects to be embedded and can be used to create interactive forms. It provides a means to create structured documents by denoting structural semantics for text such as headings, paragraphs, lists, quotes and other items. It can embed scripts written in languages such as JavaScript which affect the behaviour of HTML web pages. XML is a subset of SGML (markup language) that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a textual data format with strong support via Unicode for the languages of the world. Although the design of XML focuses on documents, it is widely used for the representation of arbitrary data structures, for example in web services. Many application programming interfaces (APIs) have been developed to aid software developers with processing XML data, and several schema systems exist to aid in the definition of XML-based languages. As of 2009, hundreds of XML-based languages have been developed, including RSS, Atom, SOAP, and XHTML. XML-based formats have become the default for many office-productivity tools. XML has also been employed as the base language for communication protocols, such as XMPP WSDL / SOAP Simple Object Access Protocol (SOAP) / Web Services Description Language (WSDL) World Wide Web Consortium : XML Protocol Working Group; and Web Services Description Working Group Open: Development Discussion between W3C members (and potentially, nonmembers experts invited by the Group Chair). Availability Documents are freely available to download from XML Protocol /Web Service Description Working Groups UC3. Migrate/Integrate As standard de facto of Internet, the use of SOAP / WSDL allows user to move from one provider to another without, because all providers are going to support both. IaaS and SaaS Both works making possible the communications between elements. Because of this they also affects to API/GUI element. 1 and

15 Description OAuth SOAP / WSDL standards are voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Millions of companies use these standards, as XML has come into common use for the interchange of data over the Internet (RFC 3023 gives rules for the construction of Internet Media Types for use when sending XML). SOAP is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) for its message format, and usually relies on other Application Layer protocols, most notably HTTP or SMTP, for message negotiation and transmission. Protocol consists of three parts: an envelope, which defines what is in the message and how to process it, a set of encoding rules for expressing instances of applicationdefined datatypes, and a convention for representing procedure calls and responses. WSDL is an XML-based interface description language that is used for describing the functionality offered by a web service. A WSDL description of a web service provides a machine-readable description of how the service can be called, what parameters it expects, and what data structures it returns. OAuth 2.0 Authorization Framework Internet Engineering Task Force (IETF) Open: Development Standard is discussed by IETF OAuth Working Group experts. Availability Document is freely available to download from IETF website. UC3. Migrate/Integrate OAuth allows an user to manage access to provider resources aligned with their internal needs. UC4. Operate/Manage During the life of the service, OAuth supports the modification of success authorizations to provider resources, according to user needs. UC7. Exit/Migrate OAuth facilitates portability between cloud implementations that support the framework. SaaS As a framework that allows to access to an HTTP service, it works on the API/GUI element of the cloud service model. 2 and

16 Description 8.4 SAML OAuth framework is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Due to adoption by main public cloud providers and social networks, OAuth is used by thousands of applications and millions of users. OAuth enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf (openid is included as a subset of OAuth). OAuth introduces an authorization layer and separates the role of the client from that of the resource owner. In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner. Security Assertion Markup Language (SAML) Organization for the Advancement of Structured Information Standards (OASIS) Open: Development Standard is discussed by OASIS Security Services Technical Committee experts. Availability Document is freely available to download from OASIS website. UC3. Migrate/Integrate SAML provides users with an interface to manage the provision of identification and user authentication between user and provider. UC4. Operate/Manage During the life of the service, SAML supports the modification of identification and user authentication, according to user needs. UC7. Exit/Migrate SAML facilitates portability between cloud implementations that support the language. SaaS As a framework that allows to access to an HTTP service, it works on the API/GUI component of the cloud service model. SAML standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Thousands of applications use SAML, but it is estimated than only less of 10% of the available applications (in fact, it is being replaced by Oauth as standard defactor for identity management)

17 Description 8.5 OData SAML provides an XML-based framework for communication user authentication, entitlement, and attribute information between online partners. SAML provides a standard XML representation for specifying this information and interoperable ways to exchange and obtain it. By defining standardized mechanisms for the communication of security and identity information between business partners, SAML makes federated identity, and the cross domain transactions that it enables, a reality. Open Data Protocol OData & Organization for the Advancement of Structured Information Standards (OASIS) Open: Development Standard is discussed by OASIS OData Technical Committee experts. Availability Document is freely available to download from OData website. UC3. Migrate/Integrate Using OData, cloud users could connect internal services with cloud ones, making the integration of this kind of service easier. UC4. Operate/Manage Data management is one of the most important issues regarding cloud services. Use of standards like OData makes easier to interchange data with cloud providers. UC7. Exit/Migrate When changing from one cloud service provider to another, using standards of data management reduces the lock-in ability of any provider. IaaS and SaaS OData works on the elements of the cloud service model that allows access to data. OData protocol is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of applications and tens of live services implement OData Protocol at the moment of issuing this report (according to OData website).

18 Description 8.6 OVF Description OData is a web protocol for querying and updating data. OData applies and builds upon Web technologies such as HTTP, Atom Publishing Protocol and JSON to provide access to information from a variety of applications, services, and stores. OData can be used to expose and access information from a variety of sources including, but not limited to, relational databases, file systems, content management systems and traditional Web sites. OData provides an uniform way to expose, structure, query and manipulate data using REST practices and JSON or ATOM syntax to describe the payload. Open Virtualization Format Distributed Management Task Force (DMTF) Open: Development Standard is discussed by DMTF group experts. Availability Document is freely available to download from DMTF website UC3. Migrate/Integrate If the user implements virtualization, can benefit from OVF, making easier the movement to the cloud. UC4. Operate/Manage During the service life-cycle, OVF allows the user to install new virtual machines in an easy way. UC7. Exit/Migrate If providers adopt OVF, users can move her virtual machines from one to another without the need of modifications in this field. IaaS. OVF establishes requirements for easing mobility of virtual machines and hypervisor OVF protocol is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally OVF has been adopted by main virtualization players, so thousands of users are using the standard. OVF is a standard for packaging and distributing virtual appliances or more generally software to be run in virtual machines. The standard describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software and not lied to any particular hypervisor or processor architecture.

19 OpenStack Description 8.8 CAMP OpenStack Open Source Cloud Computing Software OpenStack Foundation Partly open: Development Software new functionalities are discussed between OpenStack Foundation experts. Availability Documents and source code are freely available to download from OpenStack website. UC3. Migrate/Integrate Using OpenStack systems by a user simplify the move to the cloud (always that provider uses it also). UC4. Operate/Manage During the life of the service, OpenStack dashboard allows the management of cloud resources by the user. UC5. Monitor OpenStack dashboard could be used also to monitor the usage of cloud resources. UC7. Exit/Migrate OpenStack systems facilitates portability between cloud implementations that support the specification. Facilities and IaaS. Attending to OpenStack elements, network, hardware and hypervisor are mainly covered by the software. Use of a system OpenStack compatible is voluntary and there is no body responsible to accredit in any way that a system is with it. Widely Hundreds of companies have joined the OpenStack project. OpenStack is a free open source software committed to an open design and development process. The mission of the project is to enable any organization to create and offer cloud computing services running on standard hardware. OpenStack has the following components: compute, object storage, image service, identity, dashboard, networking, block storage, metering, and orchestration & service definition. Cloud Application Management for Platforms

20 Description 8.9 CIMI CloudBees, Cloudsoft, Huawei, Oracle, Rackspace, Red Hat, and Software AG Partly open: Development Specification has been created by the organisations mentioned above. Availability Document is freely available to download from CAMP website. UC3. Migrate/Integrate CAMP provides users with artifacts and APIs to manage the provision of resources of her PaaS provider. UC4. Operate/Manage During the life of the service, CAMP supports the modification of PaaS resources, according to user needs. UC5. Monitor CAMP specification can be used to supervise the use of PaaS resources during the operation of the service. UC7. Exit/Migrate CAMP facilitates portability between cloud implementations that support the specification. PaaS CAMP focuses on manage PaaS elements of the infrastructure. CAMP specification is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Parts of the specification are under development by OASIS and not public adherence has been shown apart from authors. The main objective of CAMP specification is to leverage similarities between different PaaS offerings (using languages as Java, Python, and Ruby and frameworks such as Spring and Rails) and to produce a generic application and platform management API that is language, framework, and platform neutral. The specification includes the artifacts and APIs that need to be offered by a PaaS cloud to manage the building, running, administration, monitoring and patching of applications in the cloud contributing to the interoperability among self-service interfaces to PaaS clouds. Cloud Infrastructure Management Interface (CIMI) Model and RESTful HTTP-based Protocol. An interface for managing cloud infrastructure. Distributed Management Task Force, Inc. (DMTF)

21 Description Open: Development Standard is discussed by DMTF Cloud Management Working Group experts. Availability Document is freely available to download from DMTF website. UC3. Migrate/Integrate CIMI provides users with an interface to manage the provision of resources of her IaaS provider. UC4. Operate/Manage During the life of the service, CIMI supports the modification of IaaS resources, according to user needs. UC7. Exit/Migrate CIMI facilitates portability between cloud implementations that support the specification. IaaS CIMI proposes an interface to manage infrastructure resources. CIMI standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of companies has publicly shown its support to CIMI since it was published in August, CIMI defines a logical model for the management of resources within the infrastructure as a Service domain. With this porpoise, basic resources of IaaS (machines, storage, and networks) are modelled using a Representational State Transfer (REST)-style protocol using HTTP (could be mapped to other protocols). Requests are sent using an HTTP verb (PUT, GET, DELETE, etc.) and includes a message body in either JSON or XML format. Open Virtualization Format (OVF) Specification support in CIMI allows an OVF package to be used to create CIMI management resources by importing the package. CIMI addresses the management of lifecycle of infrastructure provided by a provider ODCA SUoM Standard Units of Measure for IaaS docs?download=458:standard_units_of_measure Open Data Center Alliance (ODCA) Partly open: Development Standard is discussed by ODCA experts. Availability Document is freely available to download from ODCA website.

22 Description 8.11 SCAP UC2. Agree contract/ Service Legal Agreement (SLA) SUoM is usable within a Service Catalog prior to service delivery, as a definition of the expected service capabilities while services are in use and as a billing reference after consumption. UC5. Monitoring Through the use of SUoM, customers will be able to monitor the usage of resources agreed with the cloud provider. IaaS The document includes units of measures for elements under IaaS model. Standard Units of Measure for IaaS standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of organisations adhered to ODCA adhere to this document. SUoM describes quantitative and qualitative attributes of services to enable easier, more precise comparison and discovery of the marketplace. The objective is provide a way to compare services from competing providers of cloud services, as well as with their own internal capabilities. Such comparison could be either quantitative on a like-for-like basis (e.g., quantity of consumption, period of usage, etc.) and qualitative on a set of service assurance attributes (e.g., degree of elasticity, degree of service level, etc.). Security Content Automation Protocol (SCAP) National Institute of Standards and Technology (NIST) Partly open: Development Standard is discussed by NIST community. Availability Document is freely available to download from NIST website. UC5. Monitor Using SCAP, users can monitor security flaws and evaluations of the infrastructure. Besides using common language, both sides can understand what has been detected in the infrastructure. Facilities, IaaS, PaaS, and SaaS. The document tries to make easier the security interchange information between parties, at all levels with potential vulneratibilies, i.e. all the layers in the Cloud Model except organisation. NIST provides an SCAP Content Validation Tool that organizations can use to help validate the correctness of their SCAP content.

23 Description 8.12 CSA CCM Some pieces of SCAP are globally adopted as CVSS or CVE, while the rest should be consider as of limited use (CPE, CCE ). In fact, there are 43 content producers products that have been validated to be SCAPcompliant that correspond to the main vulnerability assessment vendors, so hundred of thousands of companies are consuming information SCAP-compliant. SCAP is suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control activities, and security measurement. SCAP v1.2 is comprised of eleven component specifications: Languages: Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL ), and Open Checklist Interactive Language (OCIL TM ). Reporting formats: Asset Reporting Format (ARF) and Asset Identification. Enumerations: Common Platform Enumeration (CPE TM ), Common Configuration Enumeration (CCE TM ), and Common Vulnerabilities and Exposures (CVE ). Measurement and scoring systems: Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring Systems (CCSS). Integrity: Trust Model for Security Automation Data (TMSAD). Cloud Controls Matrix v1.3 (CCM) Cloud Security Alliance - CSA Open: Development Standard is discussed by CSA experts. Availability Document is freely available to download from CSA website. UC1. Select Cloud Service Users can include being CCM compliant as a pre-requisite for selecting a provider. For use it, CCM requirements has to be relevant for the specific service the user wants to move to the cloud. UC6. Audit/Inspect If users desire her provider to be audited, she could ask him for certification of with CCM by a third party using the Open Certification Framework. Facilities and. Requirements included in the CCM are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer.

24 Compliance with CCM can be showed in two ways: Self-assessment by the provider, publishing the way she complies with it using the Consensus Assessments Initiative Questionnaire (CAIQ) and the public Security, Trust & Assurance Registry (STAR). Certification by a third party via CSA Open Certification Framework. Limited Tens of organizations have shown to be using it (according to STAR, adopted by 22 cloud service providers). Besides, it is widely mention by security industry practitioners. Description CCM customizes general security controls collected by other standards (ISO 27002, ISACA COBIT, PCI, NIST ) for the cloud computing services. CCM is a control framework aligned with the CSA guidance in 13 domains that provides security principles to guide cloud vendors and is part of the CSA Governance, Risk Management and Compliance (GRC) Stack EuroCloud Star Audit The Open Certification Framework is a program that seeks an incremental cloud provider certification according to the CSA s security guidance and control objectives. The framework suggests three levels, each one offering additional layer of trust, from a self-assessment by the provider itself, through an assessment by a third party (at this moment, CSA and BSI has signed an agreement), to a continuous monitoring which is under development at this moment. EuroCloud Star Audit EuroCloud Deutschland eco. E.V. Not open: Development Elaborated by EuroCloud Deutschland experts. Availability It is not available for download from EuroCloud website; neither it is available for purchase. UC1. Select Cloud Service Users can include a Star Audit Certification as a pre-requisite for selecting a provider. Users can choose between the three different levels certifiable: one, two or three stars. UC6. Audit/Inspect If users desire her provider to be audited, she could ask him for keeping the certification, assuring that provider is audited every year against EuroCloud criteria. SaaS, Facilities and s. Although detailed requirements are not public, Star Audit is focused on SaaS layer. Nevertheless it has a certification adaptation for the infrastructure (named SaaS Ready certification) which includes requirements for the facilities that support the SaaS provision and the organisation itself.

25 Description 8.14 EuroPriSe Certification by eco IT Service und Beratung GmbH auditors Limited Less than ten services have been certified using this scheme. SaaS Star Audit considers different grades for certification, similar to hotel stars (from 1 to 5), although certifications are given only from 3 stars for SaaS services. There are three modalities of certification that could be summarized in the following way: Star Audit SaaS certification = Star Audit SaaS Ready certification (infrastructure) + Star Audit SaaS App certification (application) Criteria included in EuroCloud certification are: Contract and ; Security; Operations and infrastructure; Operational processes; Application; and Implementation. EuroPriSe European Privacy Seal Unabhängiges Landeszentrum fuer Datenschutz Scheswig-Holstein (ULD) Partly open: Development Certification criteria was developed by members of European project that started the programme Availability Criteria are freely available to download from EuroPrise website UC1. Select Cloud Service Users that wanted to assure that providers comply with European privacy regulations can include holding an EuroPrise certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect If users desire her provider of European privacy regulation be audited, she could ask him for keeping the certification, assuring that provider is audited every year against EuroPrise criteria. Facilities and. Requirements included in the EuroPriSe Criteria are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer. Certification by ULD Limited Twelve (12) valid seals at this moment

26 Description 8.15 ISO Description EuroPrise offers a European privacy certificate scheme for IT products and IT-based services. Manufacturers and vendors of IT products and IT-based services can apply for the European certificate. It is awarded after successful evaluation of the product or service by independent experts (142 registered) and a validation of the evaluation report by an impartial certification body. EuroPrise Criteria are divided into the following four sets: Overview on fundamental issues; Legitimacy of data processing; Technical-al measures; and Data subjects rights. Information technology Security techniques Information security management systems - Requirements International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) Partly open: Development of standard is discussed only by ISO/IEC. Availability: Document is available for purchase from the ISO online store. UC1. Select Cloud Service Users can include ISO/IEC certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect Although ISO/IEC certifies providers with an Security Information Management System not a security level, standard audits could serve the user to know that a third party annually reviews provider s security procedures. Facilities and This standard as a definition of an ISMS certifiable framework, applies to all the elements relatives to the management of information security in the provider side, but it does not include any specific requirements for cloud services.. Standard is certifiable by accredited certification entities Globally Thousands of companies are certified against this standard (7.940 according to which cannot be consider a complete register) ISO/IEC 27001:2005 set the principles to define, develop and operate an Information Security Management System (ISMS) that could be certified afterwards for an accreditation body. It is based on the PDCA (plan-do-check-act) model fostering continuous improvement of information security, but it does not prescribe neither obliges to any kind of specific or security measures.

27 ITIL Description 3 Information Technology Infrastructure Library United Kingdom s Cabinet Office. Partly open: Development of standard is discussed only by Cabinet Office. Availability: Document is available for purchase from the Best Management Practice online store. UC1. Select Cloud Service Users can include ISO/IEC certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect ISO/IEC certifies providers service management practices, so standard audits could serve the user to know that a third party annually reviews provider s those practices against the standard scheme.. Due to the focus of this framework on service management, it has been considered that the element of the cloud model more affected by it is the organization one. Certification could by achieved against ISO/IEC 20000:2 (IT Service Management Certification Scheme). Widely Hundreds of companies are certified against ISO/IEC 2000 (713 according to which cannot be consider a complete register) ITIL is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL describes processes, procedures, tasks and checklists that could be used by a service provider for establishing integration with the organization s strategy. It allows the organization to establish a baseline from which it can plan, implement, and measure. ITIL 2011 has five core publications: ITIL Service Strategy ITIL Service Design ITIL Service Transition ITIL Service Operation ITIL Continual Service Improvement 3 Based on Wikipedia definition,

28 SOC 215 Description Service Organization Control Reports AICPA American Institute of Certified Public Accountants CICA Canadian Institute of Chartered Accountants Partly open: Development Elaborated by AICPA/CICA experts Availability Basic documents are freely available to download from AICPA and Webtrust.org websites; more specific ones have to be purchased. UC1. Select Cloud Service Use of SOC report (specially SOC2/SOCE types) allows providers to show with a predefined set of requirements defined by AICPA/CICA. Users can ask for a SOC report of the service she would like to use as a pre-requisite for selecting a provider. UC6. Audit/Inspect SOC reports are issued for a valid period of time, so if users ask for the reports periodically, provider is audited continously against security criteria by a CPA. Facilities and. Requirements included in the Trust Services Principles, Criteria, and Illustrations are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer. SOC reports can be issued by independent Certified Public Accountants (CPAs) acting according to AICPA/CICA standards. Widely adopted Hundreds of companies have been audited against this type of reports (previously known as SAS70 reports). SOC reports are internal control reports on the service provided by a service organization providing information that users need to assess the risks. These reports are the successors of famous SAS70 ones. These reports provides with an independent evaluation of the effectiveness of controls that address operations and. In fact, there are three reporting options: SOC 1 (restricted use): Focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity s financial statements. SOC 2 (generally restricted use): Uses the predefined criteria in Trust Services Principles, Criteria and Illustrations (security, availability, processing integrity, confidentiality and privacy) to provide a description of the service organization s system, auditor s tests of controls and results and auditor s opinion on that description. SOC 3 (general use with a public seal): Uses the mentioned criteria to only provide auditor s opinion on whether the system achieved the trust services criteria.

29 Tier Certification Description Data Center Site Infraestructure Tier Standard The Uptime Institute Not open: Development Elaborated and discussed by the Owners Advisory Committee (those organizations that have successfully achieved Tier Certification). Availability It is not available for download from Uptime Institute website; neither it is available for purchase. UC1. Select Cloud Service Use of Tier certification allows providers to show with a predefined set of requirements defined by Uptime Institute. Users can ask for a Tier certification of the data center she would like to use as a pre-requisite for selecting a provider. UC6. Audit/Inspect For selecting a data center, clients can ask for a Tier certification according to her requirements in order to assure that a third party (The Uptime Institute) has audited that data center according to the tier certification requirements. Facilities. The standard applies to the elements included in data centers: Hardware, housing and power/cooling. The Uptime Institute has retained the exclusive legal right to review, assess, and Certify data centers to the Institute s Tier Classification System. There are three steps: Design Certification Constructed Facility Certification Operational Sustainability Rating Widely adopted There are 269 data centers certified from Tier II to Tier IV (according to Uptime Institute website) 5 as Operational Sustainable 4 as Constructed Facilites 210 as Design Documents The standard is an objective basis for comparing the functionality, capacities, and relative cost of a particular site infrastructure design topology against others, or to compare group of sites.

30

31 P.O. Box 1309, Heraklion, Greece