DRAFT, Version 0.9, March 2013
ii About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors Dr. Marnix Dekker, Matina Lakka Contact For contacting the authors please use resilience@enisa.europa.eu For media enquires about this paper, please use press@enisa.europa.eu. Acknowledgements This work was done in collaboration with Antonio Ramos (Leetsecurity). Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. European Network and Information Security Agency (ENISA), 2013
iii Executive summary TODO: We provide an overview of standards relevant for cloud computing security. We map the standards to a set of use cases.
iv Table of Contents Executive summary... iii 1 Introduction... 1 2 Cloud service model... 2 3 Use cases... 3 4 Standards... 4 5 Mapping standards... 5 6 Conclusions... 7 7 References... 8 7.1 Related ENISA papers... 8 7.2 Legislation... 8 8 Annex: Full list of standards... 9 8.1 HTML / XML... 9 8.2 WSDL / SOAP... 10 8.3 OAuth... 11 8.4 SAML... 12 8.5 OData... 13 8.6 OVF... 14 8.7 OpenStack... 15 8.8 CAMP... 15 8.9 CIMI... 16 8.10 ODCA SUoM... 17 8.11 SCAP... 18 8.12 CSA CCM... 19 8.13 EuroCloud Star Audit... 20 8.14 EuroPriSe... 21 8.15 ISO 27001... 22 8.16 ITIL... 23 8.17 SOC... 24 8.18 Tier Certification... 25
1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 1 Introduction We provide an overview of standards relevant for cloud computing security. Besides giving a brief summary of different standards, and explaining how they work, we also provide two maps which show the main characteristics of standards and in which use cases they become relevant for cloud customers. This work is done in the context of the cloud strategy issued in 2012 by the EC which calls for ENISA to support the EC in listing certification schemes and standards. This is an intermediate result which merely lists and provides an overview of standards relevant for cloud computing customers, from a security perspective. 1.1 Target audience This document is aimed at CIO s, and architects in enterprises and SMEs in the EU, and at CIO s and decision makers in government organizations in the EU. It may be of interest also for industry experts and industry associations. 1.2 Scope This document looks at standards which are relevant for cloud customers when adopting or using cloud computing services. Standards we included in this document are security standards, when relevant for cloud computing users, and cloud computing standards, when relevant for cloud computing users from a security perspective. This means that we include interoperability standards when relevant for the security of customers. We ignore standards below the transport layer (Ethernet, TCP/IP, TLS/SSL, HTTP, SMTP, et cetera). We also ignore standards for providers about how to design and develop cloud services, which have direct use for customers. For example, there may be standards for cooling server racks which may be relevant when building cloud services, but we exclude because they are not directly relevant for customers. 1.3 Structure of this document In Section 2 we provide an overview of the different technologies involved in the different types of cloud computing. In Section 3 we analyse the use cases in the procurement lifecycle. In Section 4 we present our list of standards, and in Section 5 we introduce two types of standards maps: One map shows which standards address which technological areas, and other characteristics of standards (openness, adoption rate, et cetera). In the other map we show which standards address which use cases. We conclude with some observations about gaps and overlaps.
2 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 2 Cloud service model Cloud computing services are often divided in three types: Software as a Service (SaaS): In SaaS, the provider delivers full-fledged software or application, via the internet. Applications range from email servers, email clients, document editors, or customer relationship management systems. SaaS services can often be accessed with a browser or a web services client. Platform as a Service (PaaS): In PaaS, the provider delivers a platform for customers to run software applications on, via the internet. The applications that customers can run on these platforms ranges from scripts (PHP, Python) or byte code (Java servlets, C#). Often PaaS providers also provide a software development tool to develop applications for the platform. Examples include Google App engine, Microsoft Azure, Amazon Elastic Beanstalk. Infrastructure as a Service (IaaS): In IaaS the provider delivers storage (virtual databases) or computing resources (virtual hardware), via the internet. Examples include Amazon s Elastic Compute Cloud, Google s Compute Engine, Amazon Simple Storage Service, Google Cloud Storage, Microsoft Windows Azure Storage, Rackspace, Amplidata, cloud.bg and VPS.net We explain the different technologies involved in the different types of cloud services. Cloud Service Model IaaS PaaS SaaS OS Application Customer Provider Virtual Machine Hypervisor Data client Application server Application Facilities (Network, Housing, Cooling, Power) 52 53 54 Fig 1. Map of different technologies in the different types of cloud services.
3 55 56 57 58 59 3 Use cases In this section we look at the overall procurement lifecycle and we identify 7 high-level use cases where the customer interacts with a cloud service provider. We stress that this is a limited list of use cases, and that it is not an exhaustive list of use cases. In each of these use cases standards may apply. Use Cases UC1:Select cloud service UC2:Agree contract/sla Cloud user UC3:Migrate/ Integrate UC4:Operate/ Manage Cloud provider UC5:Monitor UC6:Audit/ Inspect 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 UC7:Exit/ Migrate Fig 2. Business use case diagram with 7 high-level use cases Auditor UC1: Select cloud service: Customer wants to decide about a cloud service to use (if at all). User could issue a request for proposal and compare offers, and/or carry out a due diligence process on existing offers. User may require parts of the provider or the service to be certified. UC2: Agree contract/ Service Legal Agreement (SLA): Customer wants to agree on a contract and an SLA defining detailed service levels and agreed procedures between the customer and the provider. UC3: Migrate/Integrate: Customer wants to migrate some existing application and/or data integrate the cloud service with existing services systems and applications. UC4: Operate/manage: Customer wants to manage and configure the service. UC5: Monitor: Customer wants to monitor the service, during operation, for example to know about issues, service levels, et cetera. UC6: Audit/Inspect: Customer wants to audit or inspect the service, for example post-incident or to show (as part of a audit of the customer s organisation). UC7: Exit/Migrate: Customer wants to exit the contract, and migrate its application or data to another provider.
4 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 4 Standards In this document for each standard we will look at the following aspects: the estimate size of the user base, either end-users or organization. We distinguish three levels: o *** globally thousands of organizations worldwide o ** widely - hundreds of organizations, regional or worldwide o * limited tens of organizations or less, for example in pilots Certification/auditing whether or not there is a certification framework, to certify with the standard, or, alternatively, whether or not it is common to have third-party audits to certify. We distinguish between three levels: *** Audits are common and certification frameworks exists. ** There are audits against the standard, no formal certification scheme. * De-facto standard. There is no audit or certification against it. - whether or not the standard is public and open, whether or not the review process if public and open. We distinguish three levels: *** Open consultation for drafts (like W3C, IETF, OASIS, etc.), open access to final versions (or a small fee, for example less than 100 euro). ** Consultation is closed/membership, but there is open access to the standard. * The standard is not open to the public and access to the standard is restricted or to purchase a useful standards set you will spend more than 100 euro. the use cases where this standard plays a role (ranging from UC1, UC7) the kind of technology the standard applies to (IaaS, PaaS, SaaS) In this document we focus on the following standards. This list is based on input from ETSI working group on standards and the list of cloud standards published by NIST. HTML / XML WSDL/SOAP OAuth SAML OData OVF OpenStack CAMP CIMI ODCA SuoM SCAP CSA CCM Eurocloud Star Audit EuroPrise ISO 27007 ITIL SOC Tier Certification For the sake of readability the list of standards is included as an annex.
UC7 (Exit/migrate) UC6 (Audit/inspect) UC5 (Monitor) UC4 (Operate/manage) UC3 (Migrate/integrate) UC2 (Agree contract) UC1 (Select cloud service) 5 114 115 116 117 118 119 5 Mapping standards In this section we present two maps of standards, showing: - Which standards address which use cases - Which standards have which characteristics Table 1 shows which standards address which use cases: HTML/XML WSDL/SOAP x x OAuth x x x SAML x x x OData x x x OVF x x x OpenStack x x x CAMP x x x x CIMI x x x ODCA SUoM x x SCAP x CSA CCM x x EuroCloud Star Audit x x EuroPrise x x ISO 27001 x x ITIL x x SOC x x Tier Certification x x 120 121 Table1. by the standard
Certification Organization Facilities Saas Paas IaaS 6 122 123 124 125 126 In Table 2 we show the application domain of the different standards, and their general characteristics, in terms of adoption, certification and openness. Other characteristics HTML/XML x x *** * *** WSDL/SOAP x x *** * *** OAuth x *** * *** SAML x *** * *** OData x x * * *** OVF x *** * *** OpenStack x x ** * ** CAMP x * * ** CIMI x * * *** ODCA SUoM x * * ** SCAP x x x x *** * ** CSA CCM x x * *** *** EuroCloud Star Audit x x x * *** * EuroPrise x x * *** ** ISO 27001 x x *** *** ** ITIL x ** *** ** SOC x x ** *** ** Tier Certification x ** *** * 127 128 129 Table2. Characteristics of the standards
7 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 6 Conclusions //TODO //Note about data protection there does not seem to be a standard for privacy settings or security measures to protect personal data. Maybe interesting for future work. //Note about LEA access request there is sometimes talk about standardizing data access requests, forensics. This may be interesting for future work. In this document, we focus on the common use cases involving the customer. //Note possible weak areas there are some use cases where very few standards exists: UC2. Agree contract / SLAs UC3. Migrate / integrate for PaaS and SaaS models UC4. Operate / manage for PaaS and SaaS models UC5. Monitoring UC7. Exit / migrate PaaS and SaaS models NOTE: Could be interesting the idea of services labelling introduced by the EU Cyber-security strategy
8 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 7 References 7.1 Related ENISA papers The 2009 ENISA Cloud computing risk assessment assess risks and benefits for SMEs who consider adopting cloud computing. The 2011 ENISA report on security and resilience of Governmental clouds provides guidance for government organisations for selecting cloud computing services. The 2012 ENISA report on secure procurement of cloud computing services, focuses on monitoring service levels of cloud computing services. The 2012 ENISA report on National Cyber Security Strategies aims to identify the most common and recurrent elements and practices of national cyber security strategies (NCSSs), in the EU and non-eu countries. //Eu CLOUD PARTNERSHIP 7.2 Legislation RELEVANT LEGISLATION
9 164 165 166 167 8 Annex: Full list of standards In this section we describe the different standards. 8.1 HTML / XML HyperText Markup Language (HTML) / Extensible Markup Language (XML) http://www.w3.org/html/ http://www.w3.org/xml/ World Wide Web Consortium: HTML Working Group ; and XML Core Working Group Open: Development Discussion is kept between W3C members (and potentially, non-members experts invited by the Group Chair). Availabiltiy Protocol is freely available to download from XML Protocol Working Group UC3. Migrate/Integrate As standard de facto of Internet, the use of HTML / XML allows user to move from one provider to another without, because all providers are going to support both. IaaS and SaaS Both languages makes possible communications between elements. Because of this they also affects to API/GUI element. The use of these languages is not accredited nor certified by any body, but as they have become W3C Recommendation, they are used these days as the basis for Internet based services. Globally Millions of companies use these standards, as XML has come into common use for the interchange of data over the Internet (RFC 3023 gives rules for the construction of Internet Media Types for use when sending XML)
10 168 Description 1 HTML is the main markup language for creating web pages and other information that can be displayed in a web browser. HTML elements form the building blocks of all websites. HTML allows images and objects to be embedded and can be used to create interactive forms. It provides a means to create structured documents by denoting structural semantics for text such as headings, paragraphs, lists, quotes and other items. It can embed scripts written in languages such as JavaScript which affect the behaviour of HTML web pages. XML is a subset of SGML (markup language) that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a textual data format with strong support via Unicode for the languages of the world. Although the design of XML focuses on documents, it is widely used for the representation of arbitrary data structures, for example in web services. Many application programming interfaces (APIs) have been developed to aid software developers with processing XML data, and several schema systems exist to aid in the definition of XML-based languages. As of 2009, hundreds of XML-based languages have been developed, including RSS, Atom, SOAP, and XHTML. XML-based formats have become the default for many office-productivity tools. XML has also been employed as the base language for communication protocols, such as XMPP. 169 170 8.2 WSDL / SOAP Simple Object Access Protocol (SOAP) / Web Services Description Language (WSDL) http://www.w3.org/2000/xp/group/ World Wide Web Consortium : XML Protocol Working Group; and Web Services Description Working Group Open: Development Discussion between W3C members (and potentially, nonmembers experts invited by the Group Chair). Availability Documents are freely available to download from XML Protocol /Web Service Description Working Groups UC3. Migrate/Integrate As standard de facto of Internet, the use of SOAP / WSDL allows user to move from one provider to another without, because all providers are going to support both. IaaS and SaaS Both works making possible the communications between elements. Because of this they also affects to API/GUI element. 1 http://en.wikipedia.org/wiki/html and http://en.wikipedia.org/wiki/xml
11 171 172 173 Description 2 8.3 OAuth SOAP / WSDL standards are voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Millions of companies use these standards, as XML has come into common use for the interchange of data over the Internet (RFC 3023 gives rules for the construction of Internet Media Types for use when sending XML). SOAP is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) for its message format, and usually relies on other Application Layer protocols, most notably HTTP or SMTP, for message negotiation and transmission. Protocol consists of three parts: an envelope, which defines what is in the message and how to process it, a set of encoding rules for expressing instances of applicationdefined datatypes, and a convention for representing procedure calls and responses. WSDL is an XML-based interface description language that is used for describing the functionality offered by a web service. A WSDL description of a web service provides a machine-readable description of how the service can be called, what parameters it expects, and what data structures it returns. OAuth 2.0 Authorization Framework http://tools.ietf.org/html/rfc6749 Internet Engineering Task Force (IETF) Open: Development Standard is discussed by IETF OAuth Working Group experts. Availability Document is freely available to download from IETF website. UC3. Migrate/Integrate OAuth allows an user to manage access to provider resources aligned with their internal needs. UC4. Operate/Manage During the life of the service, OAuth supports the modification of success authorizations to provider resources, according to user needs. UC7. Exit/Migrate OAuth facilitates portability between cloud implementations that support the framework. SaaS As a framework that allows to access to an HTTP service, it works on the API/GUI element of the cloud service model. 2 http://en.wikipedia.org/wiki/soap and http://en.wikipedia.org/wiki/web_services_description_language
12 174 175 176 Description 8.4 SAML OAuth framework is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Due to adoption by main public cloud providers and social networks, OAuth is used by thousands of applications and millions of users. OAuth enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf (openid is included as a subset of OAuth). OAuth introduces an authorization layer and separates the role of the client from that of the resource owner. In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner. Security Assertion Markup Language (SAML) http://saml.xml.org/wiki/saml-wiki-knowledgebase Organization for the Advancement of Structured Information Standards (OASIS) Open: Development Standard is discussed by OASIS Security Services Technical Committee experts. Availability Document is freely available to download from OASIS website. UC3. Migrate/Integrate SAML provides users with an interface to manage the provision of identification and user authentication between user and provider. UC4. Operate/Manage During the life of the service, SAML supports the modification of identification and user authentication, according to user needs. UC7. Exit/Migrate SAML facilitates portability between cloud implementations that support the language. SaaS As a framework that allows to access to an HTTP service, it works on the API/GUI component of the cloud service model. SAML standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Thousands of applications use SAML, but it is estimated than only less of 10% of the available applications (in fact, it is being replaced by Oauth as standard defactor for identity management)
13 177 178 179 Description 8.5 OData SAML provides an XML-based framework for communication user authentication, entitlement, and attribute information between online partners. SAML provides a standard XML representation for specifying this information and interoperable ways to exchange and obtain it. By defining standardized mechanisms for the communication of security and identity information between business partners, SAML makes federated identity, and the cross domain transactions that it enables, a reality. Open Data Protocol http://www.odata.org/ OData & Organization for the Advancement of Structured Information Standards (OASIS) Open: Development Standard is discussed by OASIS OData Technical Committee experts. Availability Document is freely available to download from OData website. UC3. Migrate/Integrate Using OData, cloud users could connect internal services with cloud ones, making the integration of this kind of service easier. UC4. Operate/Manage Data management is one of the most important issues regarding cloud services. Use of standards like OData makes easier to interchange data with cloud providers. UC7. Exit/Migrate When changing from one cloud service provider to another, using standards of data management reduces the lock-in ability of any provider. IaaS and SaaS OData works on the elements of the cloud service model that allows access to data. OData protocol is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of applications and tens of live services implement OData Protocol at the moment of issuing this report (according to OData website).
14 180 181 182 183 Description 8.6 OVF Description OData is a web protocol for querying and updating data. OData applies and builds upon Web technologies such as HTTP, Atom Publishing Protocol and JSON to provide access to information from a variety of applications, services, and stores. OData can be used to expose and access information from a variety of sources including, but not limited to, relational databases, file systems, content management systems and traditional Web sites. OData provides an uniform way to expose, structure, query and manipulate data using REST practices and JSON or ATOM syntax to describe the payload. Open Virtualization Format http://www.dmtf.org/standards/ovf Distributed Management Task Force (DMTF) Open: Development Standard is discussed by DMTF group experts. Availability Document is freely available to download from DMTF website UC3. Migrate/Integrate If the user implements virtualization, can benefit from OVF, making easier the movement to the cloud. UC4. Operate/Manage During the service life-cycle, OVF allows the user to install new virtual machines in an easy way. UC7. Exit/Migrate If providers adopt OVF, users can move her virtual machines from one to another without the need of modifications in this field. IaaS. OVF establishes requirements for easing mobility of virtual machines and hypervisor OVF protocol is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally OVF has been adopted by main virtualization players, so thousands of users are using the standard. OVF is a standard for packaging and distributing virtual appliances or more generally software to be run in virtual machines. The standard describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software and not lied to any particular hypervisor or processor architecture.
15 184 185 186 187 188 8.7 OpenStack Description 8.8 CAMP OpenStack Open Source Cloud Computing Software http://www.openstack.org/ OpenStack Foundation Partly open: Development Software new functionalities are discussed between OpenStack Foundation experts. Availability Documents and source code are freely available to download from OpenStack website. UC3. Migrate/Integrate Using OpenStack systems by a user simplify the move to the cloud (always that provider uses it also). UC4. Operate/Manage During the life of the service, OpenStack dashboard allows the management of cloud resources by the user. UC5. Monitor OpenStack dashboard could be used also to monitor the usage of cloud resources. UC7. Exit/Migrate OpenStack systems facilitates portability between cloud implementations that support the specification. Facilities and IaaS. Attending to OpenStack elements, network, hardware and hypervisor are mainly covered by the software. Use of a system OpenStack compatible is voluntary and there is no body responsible to accredit in any way that a system is with it. Widely Hundreds of companies have joined the OpenStack project. OpenStack is a free open source software committed to an open design and development process. The mission of the project is to enable any organization to create and offer cloud computing services running on standard hardware. OpenStack has the following components: compute, object storage, image service, identity, dashboard, networking, block storage, metering, and orchestration & service definition. Cloud Application Management for Platforms http://cloudspecs.org/camp/camp_v1-0.pdf
16 189 190 191 Description 8.9 CIMI CloudBees, Cloudsoft, Huawei, Oracle, Rackspace, Red Hat, and Software AG Partly open: Development Specification has been created by the organisations mentioned above. Availability Document is freely available to download from CAMP website. UC3. Migrate/Integrate CAMP provides users with artifacts and APIs to manage the provision of resources of her PaaS provider. UC4. Operate/Manage During the life of the service, CAMP supports the modification of PaaS resources, according to user needs. UC5. Monitor CAMP specification can be used to supervise the use of PaaS resources during the operation of the service. UC7. Exit/Migrate CAMP facilitates portability between cloud implementations that support the specification. PaaS CAMP focuses on manage PaaS elements of the infrastructure. CAMP specification is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Parts of the specification are under development by OASIS and not public adherence has been shown apart from authors. The main objective of CAMP specification is to leverage similarities between different PaaS offerings (using languages as Java, Python, and Ruby and frameworks such as Spring and Rails) and to produce a generic application and platform management API that is language, framework, and platform neutral. The specification includes the artifacts and APIs that need to be offered by a PaaS cloud to manage the building, running, administration, monitoring and patching of applications in the cloud contributing to the interoperability among self-service interfaces to PaaS clouds. Cloud Infrastructure Management Interface (CIMI) Model and RESTful HTTP-based Protocol. An interface for managing cloud infrastructure. http://dmtf.org/sites/default/files/standards/documents/dsp0263_1.0.0.pdf Distributed Management Task Force, Inc. (DMTF)
17 192 Description Open: Development Standard is discussed by DMTF Cloud Management Working Group experts. Availability Document is freely available to download from DMTF website. UC3. Migrate/Integrate CIMI provides users with an interface to manage the provision of resources of her IaaS provider. UC4. Operate/Manage During the life of the service, CIMI supports the modification of IaaS resources, according to user needs. UC7. Exit/Migrate CIMI facilitates portability between cloud implementations that support the specification. IaaS CIMI proposes an interface to manage infrastructure resources. CIMI standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of companies has publicly shown its support to CIMI since it was published in August, 2012. CIMI defines a logical model for the management of resources within the infrastructure as a Service domain. With this porpoise, basic resources of IaaS (machines, storage, and networks) are modelled using a Representational State Transfer (REST)-style protocol using HTTP (could be mapped to other protocols). Requests are sent using an HTTP verb (PUT, GET, DELETE, etc.) and includes a message body in either JSON or XML format. Open Virtualization Format (OVF) Specification support in CIMI allows an OVF package to be used to create CIMI management resources by importing the package. CIMI addresses the management of lifecycle of infrastructure provided by a provider. 193 194 8.10 ODCA SUoM Standard Units of Measure for IaaS http://www.opendatacenteralliance.org/document-sections/category/71- docs?download=458:standard_units_of_measure Open Data Center Alliance (ODCA) Partly open: Development Standard is discussed by ODCA experts. Availability Document is freely available to download from ODCA website.
18 195 196 197 Description 8.11 SCAP UC2. Agree contract/ Service Legal Agreement (SLA) SUoM is usable within a Service Catalog prior to service delivery, as a definition of the expected service capabilities while services are in use and as a billing reference after consumption. UC5. Monitoring Through the use of SUoM, customers will be able to monitor the usage of resources agreed with the cloud provider. IaaS The document includes units of measures for elements under IaaS model. Standard Units of Measure for IaaS standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of organisations adhered to ODCA adhere to this document. SUoM describes quantitative and qualitative attributes of services to enable easier, more precise comparison and discovery of the marketplace. The objective is provide a way to compare services from competing providers of cloud services, as well as with their own internal capabilities. Such comparison could be either quantitative on a like-for-like basis (e.g., quantity of consumption, period of usage, etc.) and qualitative on a set of service assurance attributes (e.g., degree of elasticity, degree of service level, etc.). Security Content Automation Protocol (SCAP) http://scap.nist.gov/ http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pdf National Institute of Standards and Technology (NIST) Partly open: Development Standard is discussed by NIST community. Availability Document is freely available to download from NIST website. UC5. Monitor Using SCAP, users can monitor security flaws and evaluations of the infrastructure. Besides using common language, both sides can understand what has been detected in the infrastructure. Facilities, IaaS, PaaS, and SaaS. The document tries to make easier the security interchange information between parties, at all levels with potential vulneratibilies, i.e. all the layers in the Cloud Model except organisation. NIST provides an SCAP Content Validation Tool that organizations can use to help validate the correctness of their SCAP content.
19 198 199 200 Description 8.12 CSA CCM Some pieces of SCAP are globally adopted as CVSS or CVE, while the rest should be consider as of limited use (CPE, CCE ). In fact, there are 43 content producers products that have been validated to be SCAPcompliant that correspond to the main vulnerability assessment vendors, so hundred of thousands of companies are consuming information SCAP-compliant. SCAP is suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control activities, and security measurement. SCAP v1.2 is comprised of eleven component specifications: Languages: Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL ), and Open Checklist Interactive Language (OCIL TM ). Reporting formats: Asset Reporting Format (ARF) and Asset Identification. Enumerations: Common Platform Enumeration (CPE TM ), Common Configuration Enumeration (CCE TM ), and Common Vulnerabilities and Exposures (CVE ). Measurement and scoring systems: Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring Systems (CCSS). Integrity: Trust Model for Security Automation Data (TMSAD). Cloud Controls Matrix v1.3 (CCM) https://cloudsecurityalliance.org/research/ccm/ Cloud Security Alliance - CSA Open: Development Standard is discussed by CSA experts. Availability Document is freely available to download from CSA website. UC1. Select Cloud Service Users can include being CCM compliant as a pre-requisite for selecting a provider. For use it, CCM requirements has to be relevant for the specific service the user wants to move to the cloud. UC6. Audit/Inspect If users desire her provider to be audited, she could ask him for certification of with CCM by a third party using the Open Certification Framework. Facilities and. Requirements included in the CCM are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer.
20 201 202 203 Compliance with CCM can be showed in two ways: Self-assessment by the provider, publishing the way she complies with it using the Consensus Assessments Initiative Questionnaire (CAIQ) and the public Security, Trust & Assurance Registry (STAR). Certification by a third party via CSA Open Certification Framework. Limited Tens of organizations have shown to be using it (according to STAR, adopted by 22 cloud service providers). Besides, it is widely mention by security industry practitioners. Description CCM customizes general security controls collected by other standards (ISO 27002, ISACA COBIT, PCI, NIST ) for the cloud computing services. CCM is a control framework aligned with the CSA guidance in 13 domains that provides security principles to guide cloud vendors and is part of the CSA Governance, Risk Management and Compliance (GRC) Stack. 8.13 EuroCloud Star Audit The Open Certification Framework is a program that seeks an incremental cloud provider certification according to the CSA s security guidance and control objectives. The framework suggests three levels, each one offering additional layer of trust, from a self-assessment by the provider itself, through an assessment by a third party (at this moment, CSA and BSI has signed an agreement), to a continuous monitoring which is under development at this moment. EuroCloud Star Audit http://www.saas-audit.de/en/507/overview/ EuroCloud Deutschland eco. E.V. Not open: Development Elaborated by EuroCloud Deutschland experts. Availability It is not available for download from EuroCloud website; neither it is available for purchase. UC1. Select Cloud Service Users can include a Star Audit Certification as a pre-requisite for selecting a provider. Users can choose between the three different levels certifiable: one, two or three stars. UC6. Audit/Inspect If users desire her provider to be audited, she could ask him for keeping the certification, assuring that provider is audited every year against EuroCloud criteria. SaaS, Facilities and s. Although detailed requirements are not public, Star Audit is focused on SaaS layer. Nevertheless it has a certification adaptation for the infrastructure (named SaaS Ready certification) which includes requirements for the facilities that support the SaaS provision and the organisation itself.
21 204 205 206 Description 8.14 EuroPriSe Certification by eco IT Service und Beratung GmbH auditors Limited Less than ten services have been certified using this scheme. SaaS Star Audit considers different grades for certification, similar to hotel stars (from 1 to 5), although certifications are given only from 3 stars for SaaS services. There are three modalities of certification that could be summarized in the following way: Star Audit SaaS certification = Star Audit SaaS Ready certification (infrastructure) + Star Audit SaaS App certification (application) Criteria included in EuroCloud certification are: Contract and ; Security; Operations and infrastructure; Operational processes; Application; and Implementation. EuroPriSe European Privacy Seal https://www.european-privacy-seal.eu/ Unabhängiges Landeszentrum fuer Datenschutz Scheswig-Holstein (ULD) Partly open: Development Certification criteria was developed by members of European project that started the programme Availability Criteria are freely available to download from EuroPrise website UC1. Select Cloud Service Users that wanted to assure that providers comply with European privacy regulations can include holding an EuroPrise certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect If users desire her provider of European privacy regulation be audited, she could ask him for keeping the certification, assuring that provider is audited every year against EuroPrise criteria. Facilities and. Requirements included in the EuroPriSe Criteria are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer. Certification by ULD Limited Twelve (12) valid seals at this moment
22 207 208 209 Description 8.15 ISO 27001 Description EuroPrise offers a European privacy certificate scheme for IT products and IT-based services. Manufacturers and vendors of IT products and IT-based services can apply for the European certificate. It is awarded after successful evaluation of the product or service by independent experts (142 registered) and a validation of the evaluation report by an impartial certification body. EuroPrise Criteria are divided into the following four sets: Overview on fundamental issues; Legitimacy of data processing; Technical-al measures; and Data subjects rights. Information technology Security techniques Information security management systems - Requirements http://www.iso.org/iso/catalogue_detail?csnumber=42103 International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) Partly open: Development of standard is discussed only by ISO/IEC. Availability: Document is available for purchase from the ISO online store. UC1. Select Cloud Service Users can include ISO/IEC 27001 certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect Although ISO/IEC 27001 certifies providers with an Security Information Management System not a security level, standard audits could serve the user to know that a third party annually reviews provider s security procedures. Facilities and This standard as a definition of an ISMS certifiable framework, applies to all the elements relatives to the management of information security in the provider side, but it does not include any specific requirements for cloud services.. Standard is certifiable by accredited certification entities Globally Thousands of companies are certified against this standard (7.940 according to www.iso27001certificates.com, which cannot be consider a complete register) ISO/IEC 27001:2005 set the principles to define, develop and operate an Information Security Management System (ISMS) that could be certified afterwards for an accreditation body. It is based on the PDCA (plan-do-check-act) model fostering continuous improvement of information security, but it does not prescribe neither obliges to any kind of specific or security measures.
23 210 211 212 8.16 ITIL Description 3 Information Technology Infrastructure Library http://www.itil-officialsite.com/ United Kingdom s Cabinet Office. Partly open: Development of standard is discussed only by Cabinet Office. Availability: Document is available for purchase from the Best Management Practice online store. UC1. Select Cloud Service Users can include ISO/IEC 20000 certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect ISO/IEC 20000 certifies providers service management practices, so standard audits could serve the user to know that a third party annually reviews provider s those practices against the standard scheme.. Due to the focus of this framework on service management, it has been considered that the element of the cloud model more affected by it is the organization one. Certification could by achieved against ISO/IEC 20000:2 (IT Service Management Certification Scheme). Widely Hundreds of companies are certified against ISO/IEC 2000 (713 according to http://www.isoiec20000certification.com, which cannot be consider a complete register) ITIL is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL describes processes, procedures, tasks and checklists that could be used by a service provider for establishing integration with the organization s strategy. It allows the organization to establish a baseline from which it can plan, implement, and measure. ITIL 2011 has five core publications: ITIL Service Strategy ITIL Service Design ITIL Service Transition ITIL Service Operation ITIL Continual Service Improvement 3 Based on Wikipedia definition, http://en.wikipedia.org/wiki/information_technology_infrastructure_library
24 213 214 8.17 SOC 215 Description Service Organization Control Reports http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx AICPA American Institute of Certified Public Accountants CICA Canadian Institute of Chartered Accountants Partly open: Development Elaborated by AICPA/CICA experts Availability Basic documents are freely available to download from AICPA and Webtrust.org websites; more specific ones have to be purchased. UC1. Select Cloud Service Use of SOC report (specially SOC2/SOCE types) allows providers to show with a predefined set of requirements defined by AICPA/CICA. Users can ask for a SOC report of the service she would like to use as a pre-requisite for selecting a provider. UC6. Audit/Inspect SOC reports are issued for a valid period of time, so if users ask for the reports periodically, provider is audited continously against security criteria by a CPA. Facilities and. Requirements included in the Trust Services Principles, Criteria, and Illustrations are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer. SOC reports can be issued by independent Certified Public Accountants (CPAs) acting according to AICPA/CICA standards. Widely adopted Hundreds of companies have been audited against this type of reports (previously known as SAS70 reports). SOC reports are internal control reports on the service provided by a service organization providing information that users need to assess the risks. These reports are the successors of famous SAS70 ones. These reports provides with an independent evaluation of the effectiveness of controls that address operations and. In fact, there are three reporting options: SOC 1 (restricted use): Focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity s financial statements. SOC 2 (generally restricted use): Uses the predefined criteria in Trust Services Principles, Criteria and Illustrations (security, availability, processing integrity, confidentiality and privacy) to provide a description of the service organization s system, auditor s tests of controls and results and auditor s opinion on that description. SOC 3 (general use with a public seal): Uses the mentioned criteria to only provide auditor s opinion on whether the system achieved the trust services criteria.
25 216 217 8.18 Tier Certification 218 219 220 Description Data Center Site Infraestructure Tier Standard http://uptimeinstitute.com/publications The Uptime Institute Not open: Development Elaborated and discussed by the Owners Advisory Committee (those organizations that have successfully achieved Tier Certification). Availability It is not available for download from Uptime Institute website; neither it is available for purchase. UC1. Select Cloud Service Use of Tier certification allows providers to show with a predefined set of requirements defined by Uptime Institute. Users can ask for a Tier certification of the data center she would like to use as a pre-requisite for selecting a provider. UC6. Audit/Inspect For selecting a data center, clients can ask for a Tier certification according to her requirements in order to assure that a third party (The Uptime Institute) has audited that data center according to the tier certification requirements. Facilities. The standard applies to the elements included in data centers: Hardware, housing and power/cooling. The Uptime Institute has retained the exclusive legal right to review, assess, and Certify data centers to the Institute s Tier Classification System. There are three steps: Design Certification Constructed Facility Certification Operational Sustainability Rating Widely adopted There are 269 data centers certified from Tier II to Tier IV (according to Uptime Institute website) 5 as Operational Sustainable 4 as Constructed Facilites 210 as Design Documents The standard is an objective basis for comparing the functionality, capacities, and relative cost of a particular site infrastructure design topology against others, or to compare group of sites.
26 221 222 223 224 225 226 227 228 229 230 231 232
27 233 P.O. Box 1309, 71001 Heraklion, Greece www.enisa.europa.eu