Cloud Security. A community paper sifting through the fog of cyber complexity!

Transcription

1 Cloud Security - what REALLY matters? 1 Cloud Security A community paper sifting through the fog of cyber complexity! (Preliminary DRAFT for initial technical community discussion) Most enterprises are embracing cloud computing to gain greater efficiencies and better scalability in these highly competitive economic times. Many industry estimates show that IT costs can be reduced by as much as 85 percent when businesses move software, infrastructure or platforms to the cloud. But, while moving operations to the cloud provides convenience and cost savings, it also opens up new risks for data compromise and leakage as well as unlimited opportunities to serve the customer better and anticipate their security service needs. With increasing statutory and compliance requirements, it's more important than ever for security professionals to overcome misconceptions about cloud technology s security, particularly how to manage the risk if one is not certain where data resides. This community paper explores these various security perspectives, smooth s the hyperbole, and offers implementation centric approaches and solutions that can ensure your data is well protected within trusted communications. Contact any of the co-authors listed below for more information and sharing / implementation opportunities.

2 Cloud Security - what REALLY matters? 2 Executive Summary Knowing how to accommodate the various security concerns of cloud computing allows any organization to comply with the laws, compliance regulations, as well as minimize liability. An effective set of security controls can be implemented by understanding the typical risks to data confidentiality, integrity, and availability (C-I-A). Cloud standards and security controls are available for incorporation into acquisition of cloud services, though some are in work (see URL/link to cloud security standards in appendix), we strongly recommend adhering to those two best practices architecture elements (standards and security controls) to ensure both enterprise interoperability and a known, due diligence level of security posture. The current cloud environment has the potential to increase data security through intelligent design and incorporating security into system architectures and engineering processes. Organizations must ensure they manage the end-to-end security posture, protections offered - both on-site and by the cloud provider; where the data owner s statutory and fiduciary responsibility does not end at the cloud provider s information technology (IT) / network security boundary. The required security protections are the same information assurance (IA) controls that organizations need to also implement in their organic / in-house IT environment. All which should be quantified in effective service level agreements (SLA) that allows effective monitoring and verification of those security controls in the cloud provider environment. We recommend the following key cloud security activities and methods: 1. Maintain a detailed security policy with active monitoring and control, to support enforcement - quantify the processes for key risk areas: BYOD, DLP, etc. 2. Maintain a cyber security architecture that accommodates enterprise end-point security in both (1) the organic / on-site IT/security environment and (2) the cloud provider. 3. Conduct a security baseline, fix critical vulnerabilities and employ monitoring / SCM / SIEM (which must also communicate with cloud providers reporting methods). 4. Use encryption in all aspects of data / communications, especially externally stored data. Leverage security as a service providers for an independent perspective. End to end encryption with reliable key management is a particularly powerful defensive measure. 5. Ensure cloud security services, as instantiated in a SLA, are in the overall risk management plan, including COOP and alternate providers / data storage repositories. 6. List the organization s specific cloud needs in a cloud provider checklist embed all capabilities and metrics in the SLAs -use as a tool for periodic status reviews as well.

3 Cloud Security - what REALLY matters? 3 Introduction Cloud computing has three generally accepted major driving forces, all related: 1) the economics of large scale computation infrastructure (e.g., data centers), 2) the ability to provide fungible computation on demand, and 3) the ability to centralize vast collections of data for common analytics. (DARPA 2011). Cloud computing does two things very well - speeds up time-to-market and lowers costs. Fundamentally, you re using IT a lot more efficiently than you would in an in-house / self-provided network environment. For example, in a virtualized cloud environment, you re using servers at a high level of utilization, where the service providers make the hardware, software and services work up to specifications. Security, especially data C-I-A, is the biggest concern typically the first two are the security focus, as it s generally implied that the availability / reliability is built in with cloud. Implementation of cloud computing without understanding enterprise, end-to-end (e2e), security requirements up front increases security vulnerabilities. A key opportunity for clients and providers alike is implementing cloud computing in a manner that enhances data C-I-A, while achieving other benefits of agility, reliability, and reduced cost. Implementing secure cloud computing has numerous issues, including legacy systems which were not typically designed with security built-in and have acknowledged security vulnerabilities, which must be mitigated if legacy programs are migrated to the cloud. Data is the key asset of value in most systems, with data exploitation (loss of confidentiality and compromised integrity) being the most common result of exploited vulnerabilities. Cloud risk management is a global, team practice by the data owner and service provider. Gartner s report on cloud security hype cycle (Heiser, 2012) identifies several areas that will mature soon, enhancing the overall, enterprise risk management perspective: - A consensus on what constitutes the most significant areas of cloud risk, along with accepted standards for risk acceptance and management, - Cloud services certification standards that could significantly reduce buying friction, - Virtual machine governance and control with reliable management mechanisms that enable the reliable management over virtual images and cloud-based data,

4 Cloud Security - what REALLY matters? 4 - Enterprise control over logging and investigation for platform or software services for monitoring and alerting, - Content-based control within SaaS and PaaS, which evaluate text content and take action on it, - Cloud security gateways, security "add-ons" based in proxy services, control mechanisms can be stacked in a chain of cloud-based providers to filter user requests (with IA controls) and - Increasing network access control (NAC) support to ensure some known level of security configuration on the desktop / end user device. The cloud security challenges are principally based on: a. Trusting vendor's security model b. Customer inability to respond to audit findings c. Obtaining support for investigations d. Indirect administrator accountability e. Proprietary implementations can't be examined f. Loss of physical control The cloud security risks can be categorized into what some experts at the Cloud Security Alliance (CSA) identify as the nine critical threats to cloud security (ranked in order of severity): 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues Bottom line: we recommend following both the NIST and CSA cloud guidance at:

5 Cloud Security - what REALLY matters? 5 As well as an overall, enterprise, e2e, risk management approach (RMF & FedRAMP) that also covers the CSA security risks addressed at (for one implementation approach review): The guidance on cloud computing exists in many levels of policy, strategy, and technical documentation. Cloud computing is mandated for federal agencies in our law, policy, and strategy, with guidance in the National Defense Authorization Act (NDAA), DoD CIO and DoD strategies, and other organizational implementation directives. The appendix and references / bibliography provide many more details. Combining these NIST guidelines and the CSA guides with those on risk management and continuous monitoring allow for the development of an effective, due diligence cloud security framework with common, specified security controls. Two risk methodologies to consider for use are the NIST Risk Management Framework (RMF) and the Federal Risk and Authorization Management Program (FedRAMP), where the latter is a unified government-wide risk management program focused on security for cloud-based systems. (FedRAMP 2012). FedRAMP provides guidance on authorizing vendors and the use of cloud services by using the IA controls from NIST Special Publication These controls assist with the shift from securing systems and networks to securing data and its use in a multitiered defense. Since information dominance and the market leader commercial equivalent, are heavily based on decision superiority, fed by an information centric environment ideally focused on a data-centric architecture (DCA) view - so what might that look like? DCA decouples designs and simplifies communication while increasing capability and facilitating system evolution. DCA can link systems of systems into a coherent whole using open standards principally OMG s DDS ( ). Where transports, operating systems, and other location details do not need to be known by applications providers and also facilitating adaptation to performance, scalability, and fault-tolerance requirements. We collectively must accommodate enterprise key boundaries, interfaces and data exchange standards / formats that we must ensure are secure e2e; and thus what aspects therein must also be accommodated in the cloud?

6 Cloud Security - what REALLY matters? 6 In essence, we need to collectively accommodate how to ensure that the e2e data protections cover the 4Vs (Volume, Variety, Velocity and Veracity) in all cases including when at rest, being processed and in transit. Besides the usual IT/IA environmental protections (like CND, A/V suite, IDS, etc), we also need to assess the potentially data-centric unique functions that may need added protection above the usual IA/CND suite (e.g., DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets, storage SW, middleware, services, ESB, etc ). The following illustration depicts one view of the various data-centric aspects to accommodate within the E2E projections prolife. Strategic Management Challenges and Issues There are two main categories of clouds in the cloud computing technology: Data and Utility. The Data Cloud (Data Centric) is characterized as an massively large database which scales linearly in size, which efficiently supports pattern-oriented search, which utilizes large numbers of cheap commodity hardware (Google Model), and which uses HADOOP, BigTable and MapReduce innovative database control and search technology (Google Based). On the other hand, the Utility Cloud (Resource Centric) is characterized by virtualization, the abstraction of resources (infrastructure, processing, storage, network) for multiple distinct instances. These two cloud type are different thus e2e security must account for them.

7 Cloud Security - what REALLY matters? 7 The Intelligence Community (IC) has success in separating Content and Metadata into separate HADOOP databases in the Data Cloud. IC Community has successful experience in distributed "mini" data clouds.. The intent of the IC Cloud is to "grab all the data"...then parse and analyze...and disseminate as required. In Data Cloud computing, analytics which apply correlation of hashing metadata reveals subtle behaviors. Cloud Computing is a disruptive technology. Anticipate significant efforts to socialize innovation and to address the necessary cultural change (technical, acquisition, legacy). Major improvements and enhancements in computing capacities are happening now. Data sets that were "too large to be useful" can now be effectively analyzed. More data is needed. 'Capture it all' (comment did not account for small pipes off ships and aircraft, just expressed a desire to obtain all the data that is possible). TCPED will utilize the IC Cloud (N2A architecture). We need to reduce the time from "detection to searchability" of data. Currently, the speeds of collections and data aggregation are too slow...(need to reduce days to hours, and hours to minutes..) Databases need to GET BIGGER, not smaller. This is counter-intuitive from today's operations. The size of data files and databases are increasing exponentially. Discussion of YAHOO and GOOGLE macro-data handling and processing. [see HADOOP from Yahoo] Google uses "Big Table" and puts everything they learn about all users and content into a single, searchable environment. DoD and US Govt should do the same. Discussion of OPSEC and how certain entities think they are hiding well, when in reality, they are highlighting themselves to other searches. Example -- Google was able to find leading indicators of recent Mexican Flu outbreak (medical web searches), while US Centers for Disease Control (looking at hospital reports) was looking at trailing indicators. In Data Cloud computing, the database design paradigms are fundamentally different from traditional relational design at every level. Examples: "Don't normalize before ingesting." "Ingest everything, even if redundant and erroneous. Associations can be made later". "Don't optimize, Don't generalize." "Don't put policy logic in database". "Pervasively apply strict

8 Cloud Security - what REALLY matters? 8 discipline to security tag every data element". "Calculate and pre-store anticipated query results to expedite subsequent retrieval." Recommendation: Get training in HADOOP, BigTable and MapReduce technology. Remember, it s ALL about the DATA! 2020 Data Vision (Courtesy of Dan Green/SPAWAR): Themes and Memes (technology vs its adoption) Convergence = Genomics, Robotics, Informatics, Nanotech (each a $B+ market) CBAD = Cloud, Big Data, Analytics, Data Science (are you all-in? ) Telematics = Sensing robotics, Cyber Physical Systems (will kids need to learn to drive?) Interactive 3D = Augmented Reality, HTML 5, Three.js (3D graphics for WebGL) Embedded Computing = ehpc, Tessel (mcpu / Java), Programmable hardware LBS = Location Based Services, IPS, Beaconing, NFC IoT = Internet of Things, M2M, Quantified Self Mobilization = Preparation for Conflict/Competition, Autonomy, The Draft STEM = Science Technology Engineering Math, Generation NOW, Old Dogs (YOU) It s a data-centric world - we need privacy by design is your data/ip safe? Cloud computing is interdependent with the client s end user devices and IT infrastructure and affects the C-I-A of our overall information centric environment depicted below. A key best practice is to have a well-defined security architecture, itself based on an organization s security policy, that supports both the local IT/apps and cloud environment, to ensure common standards are used in building the information environment. Collectively we have a natural hierarchy in our enterprise IT/network environment, where complexities arise in the numerous interfaces and many to many communications paths typically involved in e2e transactions. Each layer is responsible for the data / controls within their boundaries and also inherits the controls of their environment and need to formalize reciprocity therein! A key cloud selection challenge is sorting through various cloud options of technologies, deployment models, and service offerings for a secure implementation. Many potential cloud computing benefits, including security, are dependent upon the provider deployment model and services provided. Cloud computing introduces automation of IT function and role, where the function, role, and purpose of IT personnel changes under cloud computing. Thus, the data, IA/cyber controls, interfaces and profiles in each layer / boundary must be quantified, follow standards where possible (for example, DDS in OMG) and all agreed to upfront!

9 Cloud Security - what REALLY matters? 9 Cyber security is all about trust and DATA architect it! What this means is that enterprise IT/computing support needs to be enhanced to account for cloud computing where every group, every process, every skill will have to be re-evaluated in light of the need to reduce cost, implement automation and support revenue-focused business initiatives. (Golden 2012). Change of function and role extends to coordination of control between the organization and their service provider, especially during incident response and contingency operations - to a multi-level model for cloud computing. Specifically, the security model must assist in addressing protection of data at rest using data tagging, and using cloud security services such as identity and access management (IdAM), where in a service request, tagged data will be provided in accordance to assigned privileges. Implementation of this model is dependent upon the implementation of security controls to track data usage within the network

10 Cloud Security - what REALLY matters? 10 and most importantly across network boundaries. The key point is that cloud security is a shared responsibility from the end device to storage in the cloud! The characteristics of cloud computing and the various service levels are provided in more detail in the appendix. There are cloud threats to specifically address as well. A Trojan that tries to obstruct cloud-based antivirus technology present in major AV solutions offered by Chinese security firms is targeting users by posing as a video player and other popular software..the attackers use social engineering techniques to get the victims to install the Trojan - called Bohu - on their system. Once inside, the malware tries its best to not get noticed by the AV solution by modifying its payload components in such a way as to bypass hash-based detection. Having achieved that goal, it tries to install a Windows Sockets service provider interface (SPI) filter in order to block network traffic between the cloud security client and server and, for good measure, a Network Driver Interface Specification (NDIS) filter to impede the antivirus client to send any data to the server for further analysis. Miscreants have released a Trojan specially designed to disable cloud-based anti-virus security defenses. The Bohu blocks connections from infected Windows devices and cloud antivirus services in place to protect them.. Bohu - which was spotted by anti-virus researchers working for Microsoft in China - is hardwired to block access to cloud-based net services from Kingsoft, Qihoo, and Rising. All three firms are based in China. The malware poses as a video codec, a common ruse by virus writers worldwide. If installed, Bohu applies a filter that blocks traffic between the infected machines and service provider. The malware also includes routines to hide its presence on infected machines.. "With the bad guys now targeting security defenses, a different approach to safeguarding data is required. Relying on anti-virus solutions has proven ineffective time and time again. A more intelligent approach to security would serve to prevent against attacks like Bohu. Only by allowing code that is known to be good to enter a network, can organizations make sure they are truly protected."

11 Cloud Security - what REALLY matters? 11 Then there is a 'Boy In The Browser (BITM)' attacks that researchers at Imperva identified a proxy Trojan attack targeting banks, retailers, and Google that's a less-sophisticated knock-off of 'man-in-the-browser' where these examples of cloud threats goes on and on Implementation Recommendations A cloud security policy is essential. Developing an effective security policy should follow an analytical process itself. This should start with answering basic questions about specific requirements, specifications and processes related to the policies (SC magazine, 2013). Content What do we want to put in the cloud data, applications or both? Based on this, you will be able to identify criteria to determine the best cloud provider and service required such as IaaS, PaaS, SaaS or more likely, some combination of those. Data Do we have a data identification and classification policy? What about procedures for types of data to be allowed in the cloud sensitive corporate data, protected data, such as PII, SSNs or HIPAA related, or day-to-day operational data? If you don t have a good data classification policy, develop one, so you aren t inadvertently transmitting and storing data in a cloud that you don t want there. Peer policy What have others in our industry done and what can we borrow? Calling up a peer who s already ventured into the cloud and has experience with the good, the bad and the unexpected, can really help you craft your policy. Checking out what standards bodies like ISO, NIST or the CSA have created is a good way to discover policy areas you may have missed. Access Who within your organization is allowed to enter into agreements with cloud providers? Who has authority to negotiate SLAs? Who can set up an application in or move data to the cloud, and with whom should it be approved beforehand? We consider the common best industry cloud practices as a first start in understanding the enterprise security architecture needed to support effective cloud security. One view thereof is the Five Best Practices for Cloud Security (IBM, 2013): 1 - Embrace a secure-by-design approach: IT organizations need to focus on identifying controls that address the lack of direct access to information. Taking an approach that is secure by design

12 Cloud Security - what REALLY matters? 12 forms the foundation of the organizations strategy for entering the cloud and allows the organization to consistently approach security needs based on the workloads and granular data represented in their cloud efforts. This also facilitates the implementation of resiliency and audit capabilities in the cloud, allowing organizations to extend their security philosophy to the cloud. 2 Identify alternative deployment locations: where you can rapidly redeploy your images: This segment of the secure-by-design philosophy focuses on identifying alternate environments for deployment, and the selection of vendors which do not create conditions of cloud "lock-in." This flexibility allows organizations to respond to changing conditions with minimal interruption to the business. 3 - Implement an active monitoring solution: For organizations to address availability or instability conditions they must implement an active monitoring solution, failure to do so relies on cues from users which could result in damages ranging from poor customer satisfaction, to loss of customers. Organizations need to make determinations as to the monitoring and intervals based on data content and should implement manual or automated procedures to respond to related events. Even better are security products with built-in audit mechanisms to facilitate monitoring. 4 - Develop a plan and educate the response team: A large element of security is the response to threats and how rapidly an organization can respond to threats and adverse events. Organizations should document logical responses to event classes and implement education programs to facilitate response to said conditions 5 - Leverage Security-as-a-Service solutions: For instance, a managed backup service provides you the option to specify image storage locations. Managed security solutions allow organizations to share responsibility for monitoring and management of security functions, this is particularly useful in today s climate where threats come faster and are far more pervasive. The threats of today, while still being variants of the threats from yesterday, require professional skills to identify and respond to efficiently The cloud industry has many offerings and perspectives, these are an additional five best practices, this one with an architectural view, to also incorporate (SC Magazine, 2013): 1. Take a layered approach: The key to enterprise-class security in the cloud is a layered or defense-in-depth approach. Organizations should think about how to best secure each layer of the

13 Cloud Security - what REALLY matters? 13 cloud environment, including the infrastructure, operating system, application and network. Further, because cloud environments are more dynamic than on premise infrastructures, security approaches need to provide automated adaptability as new assets are provisioned or removed from the environment. 2. Divide the cloud into separate network segments. By segmenting out the various pieces of the network, data is categorized and organized in the same way it would be in a local data center. This enables organizations to benefit from the scalability, flexibility and cost benefits of the public cloud, without sacrificing the control of effective multi-layer security. 3. Ensure you have client-to-site VPN connectivity and that private IP addresses are routable between cloud networks. Client-to-site VPN connectivity should be used to enable employees to access the cloud servers private IP addresses through a secure, encrypted tunnel, removing the threat of brute force or sniffing attacks. Additionally, private IP addresses that are routable among different networks will enable organizations to configure multi-tier network architectures with separate Layer 2 VLANs for each layer. With this, each application tier can be isolated by separate firewall policies, permitting traffic to specific ports and servers to be locked down. 4. Leverage hardware-based versus software-based networking. A hardware-based network architecture provides a higher level of resilience, reliability and security than a software-based architecture or simple, server-based security. 5. Cover the three key access points: physical, software and infrastructure security. Ensure that all areas in the data center are monitored 24/7/365 by both cameras and guards, and that access is restricted to authorized personnel with two-factor biometric authentication. Cloud orchestration technology should enforce multi-tenant security across all cloud functions it should support role-based permissions, enabling organizations to define which functions can be managed by which users. Also, passwords should never be stored in clear text on any system. Finally, update and patch infrastructure systems as needed to ensure both OS and infrastructure images remain up to date, and keep firewalls and VPNs maintained. Keep a security incident response team onhand in case of a compromise. If you're leveraging PaaS, the burden of patching and updating underlying systems is borne by the cloud provider - freeing up your resources to focus on other activities.

14 Cloud Security - what REALLY matters? 14 The use of external resources for cloud computing in its current state involves a number of risks in transferring some control of data. Proper mitigation of the risks in cloud computing requires determination of appropriate controls for all relevant security provider operations, where these mitigations will involve several key steps. (Mosher, 2011). 1. Evaluate the risks involved in the use of cloud computing for a specific data application, and determine if the benefits to be gained offset the risks and the costs. This is especially critical if any regulatory compliance requirements are involved. 2. Assess the available cloud computing service providers to determine if any can provide the needed service while providing appropriate support in mitigating the identified risks. 3. Perform due diligence on the service provider to ensure their financial stability, and to confirm the promised support architecture is available. 4. Obtain copies of the service provider SAS 70 or the new SSAE 16 audit reports to confirm their controls, or perform an audit of the service provider to confirm these details. 5. Ensure that the service provider contract includes language specifying all required mitigating controls and reporting. 6. Implement a vendor management program to ensure ongoing compliance of the service provider with all necessary controls and service levels. 7. Ensure that all other appropriate internal mitigating strategies and options are implemented. To best manage and monitor your cloud partner s capability, ensure you have a security and privacy checklist that supports the contract to evaluate the cloud provider, both initially and periodic metrics / performance reviews. Some questions are listed below and many other URLs/links on security SLAs are provide in the appendix (SC magazine, 2013): 1. Who is the cloud provider? Like any big business decision, knowing who your cloud provider is will be one of the most important decisions a CEO will make. Is the company local? Does it own its own equipment? Are there ancillary service providers delivering the service? What happens when you want to move your data to another cloud provider? Is the company financially secure? 2. How is data backed up? Most cloud providers have basic backups in place. But, you should ask how this is done. Is there an archive to retrieve files that may have been deleted or overwritten several days or weeks ago? Is the backup process secure itself?

15 Cloud Security - what REALLY matters? What are the service levels, and does they have references? Does the cloud provider guarantee uptime (and how is that provisioned)? How many alternate WAN/ISP connections do they have? Do they reimburse for downtime? Downtime is worth a whole lot more to a company than a cloud provider will reimburse. It may seem simple, but just asking for some references will help one understand the type of business with whom a partnership may form. 4. Who is the competition? Call some of the cloud provider s rivals to get a sense of what the market is delivering and how others are doing. Gauge the feedback and understand what it is likely to deliver quality, reputation, expertise and service effectiveness. 5. Is the candidate s local infrastructure secure? Is your connection to it? Ensure that the computers you are accessing your data from are secure. Is a firewall in place? Do you have antivirus software running and is it current? Do you have policies in place that keep employees from visiting sites that may compromise the integrity of your network? We provide a much more detailed sample SLA checklist in the appendix. Threats / Impacts The volume of attacks continues to increase in number and complexity. Adversaries are attempting over 250,000 intrusions daily and have demonstrated proficiency at infiltrating essentially all information systems and exploiting sensitive information. Threats have evolved to where they can quickly change and adapt to the mitigations / protections in the environment they are attacking. Many instances of data confidentiality breeches have occurred for the federal and commercial organizations alike (re: Verizon data breach report), with breeches potentially worth many billions of dollars. Our current systems are difficult to defend, where the threat is becoming more advanced with the result that our security declines over time. An attack could be propagated faster in the cloud than on a legacy network in house network. A critical consequence could be data confidentiality or integrity breeched without any timely mitigation, and as the statics show, it takes many months for most breaches to be discovered. To mitigate this consequence, the SANS Institute recommends the movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers. (SANS 2012). The appendix has more threat / vulnerability discussions.

16 Cloud Security - what REALLY matters? 16 Within the commercial sector, hundreds of new technologies are emerging for managing and merging information. The maturity of these technologies varies with implementation time from less than two years to over 10 years (Figure 5). These new technologies can provide capabilities of enhanced situational awareness, alert detection, and behavior monitoring to improve data C-I-A. The technological change impact concerns cover the change of enterprise IT architecture, the effect on legacy systems, and keeping up with the change of commercial technology. Various cloud security technologies (Figure 5) can have a positive impact to mitigate threats and vulnerabilities. We must ensure that the communication channels (especially M2M), data (within the 4 Vs of data) and all technologies have security built in. Then we must prove that the environment we maintain has a complete, enterprise view of an IA/security/Cyber due diligence level, which meets compliance and statutory liabilities. Figure 5: Gartner 2012 Hype Cycle for Cloud Security (Heiser 2012, p. 15) Cloud computing risks also vary. Cloud has both existing standards and some developing ones (a detailed list / spreadsheet is at ). Standards always evolve with the technology, but we also need to keep up with emerging threats. As one ongoing risk is where vulnerabilities will not be understood or even known until widespread exploitation occurs. There are numerous combinations of possible cloud computing implementations between the

17 Cloud Security - what REALLY matters? 17 various deployment models, services, and common characteristics where risk varies by the deployment model and services. One accepted risk management approach is to use NIST s risk management framework (RMF) to understand and assess the risk and tradeoffs among the different options. Method and process change also creates risk, where potential method changes include system and network certification and authorization, incident response, and continuity of operations. A risk and an opportunity is that the cloud environment collapses the network security boundaries, reduces the external attack surface, and standardizes the management, operational and technical security controls. Activities will also change risks - as an example, activity monitoring is different under cloud computing, as only a limited set of cloud services providers enable enterprises to hook into platform or software services for monitoring and alerting. (Heiser 2012). Recommended Security Controls The development of security controls for better data security under cloud computing needs to address several areas (re: continuous monitoring, identity, authentication, and credential management), with cryptography that supports the shift from securing devices to securing the data itself and ensure that data is only shared with authorized users). Understanding these controls involves the use of NIST controls and can/should also leverage the efforts of the FedRAMP program - including accredited cloud service providers. (see appendix for details). The notional cloud s evolving security framework should include: enterprise specifications and enforced consistent, well-defined policies and procedures; placement of sensors at the most efficient locations for traffic capture and inspection; automation of key security processes including configuration and vulnerability monitoring; and centralization and consolidation of the operations centers, tools, and personnel that monitor and defend the network. In addition, moving target defenses are sought that periodically change the allocation of tasks to hosts, again making it difficult for an attacker to map the system well enough to launch a coordinated attack. Since these techniques consume significant resources, the degree to which they are applied should be a tunable parameter, allowing resources to be used in the most effective manner as the overall threat situation changes.

18 Cloud Security - what REALLY matters? 18 Most current organizations existing IT infrastructures are not sufficient to fully protect against cyber threats, especially advanced persistent threats. Using cloud computing to replace current infrastructure is challenging, especially for the proper security controls to ensure data C- I-A. Where cloud computing could very likely be more secure than the as is environment with the proper security emphasis. Within the cloud environment, there is an opportunity to implement a multi-layered defense of continuous monitoring at the levels of network, system, and data usage for improved data C-I-A. One essential function to implement is encryption from the end device to cloud storage. Companies needed to have complete data encryption with cloud key management to give the most secure, convenient and cost-effective solution for lifecycle cloud security regardless of private, public, or hybrid clouds, to include mandates such as: PCI, HIPPA, SoX, Organizations are able to reap all the benefits of migrating to the cloud without having to manage the overhead of storing sensitive data in local databases. Furthermore, the ability to encrypt on a field-by-field basis provides customers the granularity needed to comply with their organizational data classification and regulatory requirements. In the cloud, encryption frameworks are used to protect outgoing data, so that information is cryptographically sealed the instant it leaves the cloud compute node or the cloud application. It is commonly used to achieve compliance with industry regulations, including HIPAA and PCI DSS and is an essential cloud architecture design pattern for organizations building their own cloud applications. Any sensitive data destined for the backend databases is immediately encrypted the moment it leaves the cloud application. This effectively creates a private data store within a public data center. It also brings data-at-rest and data-in-transit security by keeping data in its unencrypted form ONLY when the cloud application is actually processing the data. In a well architected system, encryption keys are also maintained and managed away from the database servers that hold the encrypted data, increasing the security of the overall system. The very best solutions are designed where the

19 Cloud Security - what REALLY matters? 19 encryption keys simply never EVER touch the database servers - an excellent segregation of responsibilities and an example of defense in depth. However you might also be using 3rd party SaaS applications, whose development or architecture cannot be directly influenced by your organization (e.g. Salesforce.com or Oracle CRM On Demand). In such situations a recent trend has been the use of security gateway appliances (virtual or physical) to protect outbound data. However such gateway solutions often fallback to tokenization techniques to maintain the SaaS apps compatibility, leaving the data vulnerable to dictionary attacks. For SaaS applications not architected with security "designedin", such "bolt-on" solutions have limited effectiveness at best. At worse, it may present a false sense of security leading to relaxed monitoring and deployments. We recommend directly talking to the developers of the 3rd party SaaS to understand their data security architecture and gauge compliance rather than introducing gateway solutions from another unrelated vendor. The Cloud Security Alliance recently published guidance on best practices for implementing encryption and ownership of the encryption keys, where they highlighted this important consideration stating based on the Segregation of Duties security principle, key management should be separated from the cloud provider hosting the data. This provides the greatest protection both against external breach of the service provider as well as an attack originating from a privileged user/employee of the provider. Additionally, this segregation of duties prevents the cloud provider from unauthorized disclosure of customer data, such as compliance with a subpoena, without the customer knowledge or approval. The customers should retain complete control over their data and only they should be able to comply with

20 Cloud Security - what REALLY matters? 20 disclosure requests. A good cloud security framework must implement all the above and should do so in a cookie cutter/modular way without having to re-engineer the security model each time. Apart from keeping the encryption keys away from the cloud data stores, we also recommend that the keys themselves be protected by multiple layers of security, including split knowledge cryptography. This prevents against key disclosures as well as injection of malicious or compromised keys. Finally, while some propose homomorphic encryption for key management, fully homomorphic encryption is exceptionally slow and is not yet certified by NIST, breaking compliance guidelines. Implementation Recommendations We propose both a strategic (facilitating inter-organization harmonization) and tactical (execution at the organization level) set of recommendations. For the strategic / enterprise level for cloud overall, we recommend the following notional / national implementation cloud environment actions / tenets to ensure data C-I-A throughout the enterprise: 1. Use a multi-tier defense of data (encryption, key management, data ownership, and data usage) in the cloud, develop a data-centric security view of the environment; 2. Establish FedRAMP Security Control Baseline as the overall notional security control baseline for all cloud environments for consistency of implementation and verification; 3. Given the standard IA controls that are called out in the security controls baseline, divide and align security responsibilities between the organization and cloud service providers, establish clear inheritance oversight processes; 4. Implement a common cloud computing security architecture in all connected data centers; accommodating data at rest, in process and transit between entities. 5. Adopt NIST s Risk Management Framework for evaluating security risk; 6. Leverage FedRAMPs provisional authorization process for cloud service providers; 7. Execute continuous monitoring concepts for networks and systems, leverage NIST s approach, harmonize with DHS s SCM efforts; 8. Develop advanced analytics for monitoring internal and external data usage; and

21 Cloud Security - what REALLY matters? Train the Cyber Workforce concerning new cloud computing roles and responsibilities. For the tactical / implementation level for any organization, we recommend: 10. Maintain a detailed security policy with active monitoring and control, to support enforcement. Also quantify the processes for key risk areas, like: BYOD, data control, data loss prevention, effective monitoring, etc) 11. Maintain a cyber security architecture that accommodates enterprise end-point security in both: (1) the organic / on-site IT/security environment and (2) the cloud provider security capabilities / controls. Use the CSA, NIST and FedRAMP guidelines, including alternative sources. Quantify all IA controls, assign roles and responsibility for all, including inheritance aspects 12. Conduct a security assessment of the in-house/on-site environment define the baseline, fix critical vulnerabilities and then also employ monitoring / SCM / SIEM (which must also communicate with cloud providers reporting methods) 13. Use encryption in all aspects of data / communications, especially externally stored data. End to end encryption with reliable key management is a particularly powerful defensive measure. Leverage security as a service providers for a third party monitoring. 14. Ensure cloud services, as instantiated in a comprehensive service level agreement (SLA), are part of the overall risk management plan, including COOP and alternate providers / data storage repositories, etc. 15. Develop the organization s specific computing outsourcing needs, then distill the cloud aspects into a cloud provider checklist use as a tool for periodic status reviews as well - embed all capabilities and metrics in the SLAs.

22 Cloud Security - what REALLY matters? 22 Appendix (1) Cloud SLA checklist example (2) Additional background / references / perspectives Cloud SLA checklist example We list several links with SLA / contract examples, so the reader can delve into more details. Review and summary of cloud service level agreements (101). This takes a look at the "Cloud Computing Use Cases Whitepaper," Version 4.0 from the Cloud Computing Use Case group an information storehouse created by an open web community of more than 1,400 participants Cloud computing checklist GREAT sample! Part A is security / risk management, part B is compliance and part C is (further due diligence) Other checklist samples for more references: Practical Guide to SLAs SLA checklist (top 10 items a slide) Cloud based Security Checklist Common Metrics to Have in Your Cloud SLA Checklist for a Watertight Cloud Computing Contract and

23 Cloud Security - what REALLY matters? 23 An overview of what to include in SLAs (and contracts) would contain: Clearly define requirements Conduct a thorough audit of existing services. IT may have been provided by the user's in-house department, so things such as service levels, availability and performance may not have been formally measured in any detail. However, if you have this information to hand, it is easier for both user and supplier to explain their requirements and expectations. ---Key performance indicators Key performance indicators are chosen to cover the level of service provided, such as the availability of a network. Choosing KPIs to cover every single area could mean that measuring and monitoring them becomes unwieldy and not particularly useful. Care is required when choosing KPIs and setting targets. --- Credits The supplier may give the user credits (reimburse them with set amounts) if it fails to meet KPIs. If KPI targets and credits are set too high, it could make the deal unattractive for the supplier and act as a disincentive. Credits cannot totally compensate for poor service and so other plans should be put in place to resolve problems if they occur, rather than relying solely on credits. --- Not just IT Some users may believe that the SLA for IT outsourcing projects should be negotiated by the IT department alone, but this could have unwanted effects for other departments and the organization as a whole. All relevant people in a business should have an input into the SLA - including people from the finance, legal and other departments affected by the agreement. --- Keep talking SLAs often go wrong because the parties do not talk about problems they are encountering, or only talk once things have deteriorated too far. An SLA should try to cater for the resolution of problems or potential problems at an early stage. It is important to have formal procedures to escalate problems within set periods to middle management and then to senior management if they cannot be resolved by the staff working on the project on a day-to day-basis. Mediation, arbitration or going to court are other possibilities if problems still cannot be resolved.

24 Cloud Security - what REALLY matters? Consider external advice SLAs are often produced by a user and supplier without obtaining external advice. External advisers who regularly deal with SLAs can help to ensure that the agreement covers all the relevant issues. They can be particularly useful if any party is unfamiliar with the issues which arise in SLAs, if the SLA is high-value, or if the services provided under the SLA are critical to the business. --- Ease of use If SLAs are too detailed, too complex or too long, it will be difficult for staff to understand and use them on a regular basis. If staff does not use the agreements, it could lead to problems or disputes in the future. Specific areas / capabilities to accommodate: 1. Audit & Compliance - The cloud service provider should clearly state how and when its controls are audited and make the audit results available to clients. How much visibility will auditors have? A standard such as SSAE16 should be used as the basis for the audit and a reputable, independent third party should conduct the audit on an annual basis. This monitoring / reporting is likely more than the standard security level, thus be prepared to pay more for additional visibility and details, common metrics. New regulations and standards are being created as information technology environments continue to contain more personal, private and sensitive data. This means your computing environment and infrastructure will need to comply with stricter and more open auditing regulations. 2. Availability - The cloud service provider should provide a system availability commitment which refers to what percentage of time the system (including a client s business critical workflows) will be continuously available. This measurement of availability should be objectively measured using automated scripts that also incorporate access to third party services made available from the cloud provider s platform. The percentage of system uptime and number of scheduled maintenance windows should be outlined. -- What types of software, hardware and facilities are used? Don t just accept the information offered in the Service Level Agreement (SLA). Most cloud solution providers are not likely to realign their SLAs to cover the business loss in case of

25 Cloud Security - what REALLY matters? 25 outage. For this reason, it s important to ensure that the environment is built properly using enterprise grade platforms. 3. Business Continuity - The cloud service provider must outline their disaster recovery plans, explicitly stating their primary site redundancy positioning and RTO / RPO commitments to ensure adequate protection in case of a disaster. Disaster recovery tests should be performed regularly and documented with the results available for review. 4. Customer Support - The cloud service provider should explain how their customer support staff will provide the skills, knowledge and expertise required to support a client s business and technical needs. How is support handled? What is your staff s level of technical competence? Even if support is always available and always accessible, it is important that the support staff can offer the skills, knowledge and expertise that match your specific platforms and applications. 5. Geographic Presence - The cloud service provider must ensure that its systems and associated Operations and Customer Support teams are available to service the client s business. 6. Location of Data - The cloud service provider must be able to clearly identify where a client s data is stored and how the applicable data provenance requirements are enforced. 7. Maintenance - The cloud service provider should outline the types of maintenance tasks it performs and their associated maintenance window schedule. 8. Performance - The cloud service provider must clearly state their response time objective and should have a monitoring solution that can objectively and transparently measure performance commitments outlined in their service level agreement. To safeguard against poor performance, make sure the provider offers a monitoring solution that includes a detailed overview for Network Capacity (Mbps), Memory Capacity (GB), Disk Capacity (GB), Disk IO (IOPS), and Compute (Varies). 9. Privacy - The cloud service provider should clearly state how client data is secured (including encryption algorithms) and kept private from other clients and third parties. 10. Security - The cloud service provider must be able to provide their documented security policies and evidence that these policies are being followed. Third party penetration testing should be performed and the results made available for review. -- Can my physical and virtual environments be intermixed? All your platforms may not be ready for the cloud or virtualization. Because of this, make sure that your cloud provider offers physical colocation in combination with their cloud services. If your platforms in the cloud need

26 Cloud Security - what REALLY matters? 26 to speak to applications on other platforms outside the cloud, it s important to have this flexibility of physical colocation interoperation. Guidance on cloud computing Guides exist in many levels of policy, strategy, and technical, where it mandated for federal agencies in our law, policy, and strategy, with guidance in the National Defense Authorization Act (NDAA), DoD CIO and DoD strategies, and other organizational implementation directives. The Federal Chief Information Officer (CIO) established the federal Cloud First strategy in (DoD 2012, p. E-1). NIST has provided technical guidance on several aspects of cloud computing, including the security implications of virtualization across the life cycle of cloud services as discussed in NIST Special Publication (SP) Cloud computing standards and services are addressed in a series of roadmap documents to include, but not limited to: (a) NIST Cloud Computing Standards Roadmap, SP ; (b) NIST Cloud Computing Reference Architecture, SP ; (c) NIST, US Government Cloud Computing Technology Roadmap, Volume I, Release 1.0, SP (DRAFT); (d) NIST, US Government Cloud Computing Technology Roadmap, Volume II, Release 1.0, Useful Information for Cloud Adopters, SP (DRAFT); and (e) NIST, US Government Cloud Computing Technology Roadmap Volume III, Technical Considerations for USG Cloud Computer Deployment Decisions (First Working Draft). Additionally, as data center operations is tightly linked with cloud, those security concerns are addressed in the Guidelines on Security and Privacy in Public Cloud Computing SP Characteristics of Cloud Computing Services Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (NIST SP , p. 2). Cloud computing implementations have five essential characteristics: on-demand self-service; broad network access; resource pooling; rapid elasticity; and measured service. (ibid). Matching cloud provider capabilities with business computing needs mean sorting through the various cloud options of technologies, deployment models, and service offerings for the desired security.

27 Cloud Security - what REALLY matters? 27 The understanding of responsibilities between the organization and service provider is especially critical during incidents and contingency operations. The organization and the cloud service provider have different responsibilities for security controls which vary by type of service and must be clearly stated in the SLAs. Figure 2 is the NIST cloud definition framework. This framework displays the main components of the various deployment models, service models, essential characteristics, and common characteristics. Cloud deployment models are either private cloud, public cloud, or a hybrid between private and public. Each deployment model affects the C-I-A of our data, where we may have less control / visibility using public cloud services. Common government service models for cloud computing are software as a service (SAAS), platform as a service (PAAS), and infrastructure as a service (IAAS). In the commercial market, other service models are available to include data as a service (DAAS) and storage as a service (SAAS). All of these various services affect how and where the IA controls are implemented and managed, yet the data owner always retains the responsibility for their data protection and use. Data center security is also important in cloud, which serves as the main link to facilitate data collaboration, where the common characteristics therein are: massive scale, virtualization, homogeneity, resilient computing, geographic distribution, and advanced security. (Ibid). All of these common characteristics all have potential sharing and communications vulnerabilities concerning data C-I-A security controls. Data, especially sensitive data, is any organization s most critical asset. Everyone needs to be involved in protecting the C-I-A of sensitive data be that IP, PII, privacy or national security. Cloud computing constructs like big data and predictive analytics are a key part of the data value proposition, where they can increase the data efficiency as well, through their shared data capabilities, data centers, etc all using secure protocols. These capabilities improve applications performance and promote data independence (separation of data and application).

28 Cloud Security - what REALLY matters? 28 Figure 2: The NIST Cloud Definition Framework (NIST ITL 2009, p. 15) Vulnerabilities There are many of security risks to accommodate, specifically in data and availability / provisioning. The data risks include: access control, internal segmentation, sub-contractors, data ownership, e-discovery methods, data censorship, encryption and key management. Availability / provisioning risks include: service degradation, service outage, service and cost changes, audit records, storage location, breach notifications, and compliance support. Current vulnerabilities include the lack of a coordinated, rapid, and agile response to complex threats. Part of the problem is that each organization has a different security architecture, with different network interfaces including potentially conflicting security policies and controls and methods of certification and accreditation. Implementation of cloud computing with traditional perimeter defense does not fix existing vulnerabilities and could degrade data confidentiality and integrity. Some vulnerabilities come from the nature of cloud computing, which is characterized by tight integration and the implicit trust typical between hosts within the environment. A critical vulnerability is the high degree of implicit trust between the computational nodes within a cloud or a distributed computing infrastructure, which allows malware to propagate rapidly once it is within the enclave. Cloud computing infrastructures, in particular, tightly integrate large numbers

29 Cloud Security - what REALLY matters? 29 of hosts using high speed interconnection fabrics that can serve to propagate attacks even more rapidly than conventional networked systems. (DARPA 2011). This vulnerability can be exploited by a threat for access systems and data stores to affect data confidentiality and integrity. The vulnerability mitigation is to use other aspects of cloud security services for better monitoring of activities and behaviors within the environment to include monitoring data flows or to encrypt the data itself as it flows across various components, minimizing the attack surface. Another vulnerability is the concentration of data at data centers and increased data availability with cloud computing. This concentration results in a benefit for ability of data to be discovered and power for its processing. The cloud environment increases the opportunity for information sharing, provides the processing power for advanced algorithms, and allows for the use of advanced algorithms. This same concentration of data allows an insider or even an attacker to have availability to data that would have otherwise been inaccessible. This increases the data loss and compromise to hostile insiders and attackers. With this concentration, the opportunity exists for the implementation of security controls that better monitor data use. Recommended Security Controls (added perspectives) FedRAMP reviewed 334 security controls from NIST documents for cloud computing providers. These security controls are contained in the FedRAMP Security Controls Baseline Version 1.1 and are part of FedRAMP s provisional authorization process for cloud service providers. The SANS Institute has 20 critical security controls, where many of these security controls are directly applicable to cloud, data use and data centers. The CSA and NIST cloud guidelines address the security controls that are particularly applicable in the cloud environment for data C-I-A are: access control; audit and accountability; assessment and authorization; configuration management; identification and authentication; incident response; media protection; risk assessment; system and services acquisition; and system and information integrity. (FedRAMP Security Controls Baseline 2012, p. 1). While all security controls are important, the threats and risks identified above require security controls that assist with configuration management, risk assessment, system and services acquisition, and system and information integrity. These controls assist with the shift from securing systems and networks to securing data and its use in a multi-tiered defense. An essential part of any cloud security

30 Cloud Security - what REALLY matters? 30 effort is a comprehensive risk management process we strongly recommend all organizations use NIST s Risk Management Framework (RMF) (see NIST Special Publication Revision 1 which explains the RMF in detail) as complemented by the specific cloud risk particulars that FedRAMP uses. Under cloud computing, the change in focus to data flow and usage can simplify the security problem for data C-I-A. Cloud computing can leverage cloud analytic capabilities for managing data security within and across network boundaries. Figure 7 displays the types of data compared to the speed of analysis by the type of analytics that will assist with security control. These analytics still manage the flow of information at the boundary. The change is the development of security and information management to understand data behavior - dedicated security analytics will allow for the understanding of system behaviors. This analytic approach allows for increased tracking of data as it moves with the network and across network boundaries. The result could be an increase in the ability to provide the organization s data C-I- A (to authorized users). Figure 7: Security Information and Event Management (McDonald 2012, p. 9). NIST s concept of continuous monitoring includes automated monitoring of standard configuration settings for information technology products, vulnerability scanning, and ongoing assessments of security controls. In addition to deciding on appropriate monitoring activities