Privileged Identity Management in the Cloud Scalable Security Practices for Cloud Providers

Privileged Identity Management in the Cloud Scalable Security Practices for Cloud Providers 2012

Abstract Cloud computing presents great opportunities for businesses and organizations to control costs and better align IT assets with business goals by using modern on-demand computing resources. Choosing an appropriate Cloud computing Service can be a complex decision. Providers of Cloud services can reduce barriers to adoption by demonstrating their capability to properly secure their clients data and applications. One key area of Cloud security is the management of privileged accounts. A proven, automated, and scalable solution is available today for public Cloud providers as well as private Cloud architects. Additionally, transparent security models with a self-service auditing portal will add value to existing Cloud services and assist with compliance verification. Steve Staso Cloud Computing Strategist Field and Wave Solutions 2

Table of Contents Cloud Computing Security Concerns... 4 NIST Cloud Definition Framework... 4 Cloud Computing Industry Landscape............................................ 6 Different Clouds Require Different Security Responsibilities... 8 Secure Multi-Tenancy in the Cloud... 9 Top Threats to Cloud Computing............................................... 10 Privileged Accounts... 12 How Access to Privileged Identities Spreads... 12 Privileged Identities The Risks................................................ 13 Securing Privileged Identities Above and Below the Hypervisor... 14 The Limited Value of a SAS 70 Type II Audit Report.................................... 15 A Solution to Automate the Management of Privileged Credentials....................... 16 Buy Versus Build (or Keep Building)?... 16 For Your Consideration: Enterprise Random Password Manager..................... 16 Auditing Portal Transparency Adds Value... 17 Hardware Encryption......................................................... 18 Benefits to Cloud Providers........................................................ 19 Protect against Insider Threats................................................. 19 Protect against Loss of Information Inadvertent or Intentional... 19 Audit and Generate Compliance Reports... 20 Facilitate Global Accessibility and Delegated Workflows... 20 Reduce Administration Overhead... 20 Enable Transparent Security Practices........................................... 21 Increase Consumer Confidence... 21 Benefits to Cloud Consumers... 22 Manage Privileged Accounts Securely... 22 Document and Verify Controls and Objectives.................................... 22 View Access Logs... 22 Looking Forward................................................................. 23 Next Steps...................................................................... 23 About the Author... 24 References...................................................................... 24 3

Cloud Computing Security Concerns Before we begin, let s agree on a standard definition of Cloud computing, and review the industry landscape. NIST Cloud Definition Framework The Cloud computing industry and its main players have accepted the Cloud Computing definition drafted by the National Institute of Standards and Technology (NIST). NIST is an Agency of the U.S. Department of Commerce and promotes the effective and secure use of Cloud computing technology within government and industry by providing technical guidance and promoting standards. While NIST is a U.S. government organization, this should not be interpreted as an exclusion of other perspectives or geographies. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This Cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. Deployment Models Service Models Private Cloud Software as a Service (SaaS) Hybrid Clouds Community Cloud Platform as a Service (PaaS) Public Cloud Infrastructure as a Service (IaaS) Essential Characteristics On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service Common Characteristics Massive Scale Homogeneity Virtualization Low Cost Software Resilient Computing Geographic Distribution Service Orientation Advanced Security Figure 1: NIST Cloud Definition Framework 4

NIST defines the essential characteristics of Cloud computing as follows: 1. On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service s provider. 2. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). 3. Resource pooling. The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. 4. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. 5. Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service. 5

Cloud Computing Industry Landscape The number of Cloud providers is constantly growing. Table 1 provides a few popular providers and products used in some of the different Deployment models and Service models of Cloud computing. Infrastructure as a Service (IaaS) Storage Service: Amazon S3 RackSpace Compute and Hosting Service: Amazon EC2 Joyent Cloud LayeredTech Media Temple RackSpace Terremark Software as a Service (SaaS) Google Gmail and Apps JungleDisk Microsoft Live RightScale SalesForce: Sales Cloud, Service Cloud Zmanda Zoho Platform as a Service (PaaS) Google App Engine Microsoft Azure SalesForce Custom Cloud (Force.com) Private Clouds 3Tera AppLogic Oracle/Sun VMware Vcloud Table 1: Well Known Cloud Providers 6

The OpenCrowd Cloud Solutions Taxonomy is a good graphic to gain an understanding of how some of the larger or well known providers relate to each other. While not an exhaustive list, it provides a foundation for segmenting the public Cloud computing industry. Figure 2: OpenCrowd Cloud Landscape 7

Different Clouds Require Different Security Responsibilities According to the Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 prepared by the Cloud Security Alliance (CSA): Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties. This is illustrated by the differences between distinct Cloud service and deployment models. For example, IaaS providers are responsible for physical security, environmental security, and virtualization security. The consumer is responsible for the security of the operating system, applications, and data. Depending on their chosen model, PaaS providers typically secure their exposed platform and below. In this case, the consumer is again responsible for the security of their own application and, possibly, their data. SaaS providers, however, are responsible for the entire infrastructure, applications, and data. Service levels, privacy, and compliance are negotiated into the contracts for service. As with most security models, there is a tradeoff between security and flexibility. IaaS provides the most flexibility and extensibility leaving quite a bit of security responsibilities with the consumer, while SaaS provides relatively few options to customize or tailor the service, but assumes the lion s share of security responsibilities. Private Clouds, whether they are architected and maintained by an internal IT staff or a managed service provider, must secure the entire infrastructure - much like a public SaaS provider. The enterprise clients expect their internal Cloud to be secure and rely on their IT operations staff to maintain the highest safeguards for their data and applications. Private Cloud data and applications likely contain intellectual property and/or competitively sensitive information and must be protected accordingly. Bottom Line: All Cloud architects must ensure proper management of privileged identities; and all consumers of Cloud services have the responsibility to know and understand who is protecting their data and the practices used to maintain appropriate security. 8

Secure Multi-Tenancy in the Cloud Most Cloud providers use one or more platform virtualization software packages or customized derivative with a hypervisor, virtual machine manager, or operating system container technology such as Citrix Systems Xen, VMware s ESX Server, Microsoft s Hyper-V, Oracle/Sun s Logical Domains, etc. Cloud providers scale their operations by pooling shared resources and segregating a portion of the resource for each consumer. Security in and among these virtual instances is maintained by the hypervisor/container, virtual machine manager, plus proprietary technologies developed by the provider. This places all consumers at equal risk of compromise, but if/when fixes, patches, or updates are rolled out, the provider can implement them much quicker. Cloud providers must take great care in protecting access to the underlying systems. If the security of the hypervisor, the underlying network, or the virtualization management system is compromised, the impact could be catastrophic even if Service Level Agreements (SLA) or other legal agreements are in place. The same risks are presented in private Clouds. Private Clouds are very appealing to enterprises that have excess capacity or are able to achieve cost benefits by implementing Cloud technology either on or off premise. Compromise by a malicious insider or even inadvertent access by a routine maintenance procedure could spell disaster to a commercial enterprise. Most sub-components of a Cloud infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. Many software applications were not written for multi-tenant environments, so multiple instances of the application run concurrently within a virtualization environment. These multi-instance virtual appliances are a suitable alternative to true multi-tenancy but carry the same risks discussed herein. The CSA offers these essential questions for consumers to consider when using Cloud services: 1. How would we be harmed if the data became widely public and widely distributed? 2. How would we be harmed if an employee of our Cloud provider accessed the asset? 3. How would we be harmed if the process or function were manipulated by an outsider? 4. How would we be harmed if the process or function failed to provide expected results? 5. How would we be harmed if the information/data were unexpectedly changed? 6. How would we be harmed if the data were unavailable for a period of time? Consumers of Cloud services should weigh the advantages and disadvantages and perform a risk assessment to determine which provider and type of Cloud is most suitable to achieve their business goals. 9

Top Threats to Cloud Computing According to CSA s Top Threats to Cloud Computing V1.0, the following seven risks have been identified as the most dangerous: 1. Abuse and Nefarious Use of Cloud Computing: By abusing the relative anonymity behind simple registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity. 2. Insecure Application Programming Interfaces: From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. 3. Malicious Insiders: This threat is amplified for consumers of Cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. 4. Shared Technology Vulnerabilities: Inadequate management of virtual machines can allow attackers to enter through back doors and once inside to move laterally through the closed environment. Customers should not have access to any other tenant s actual or residual data, network traffic, etc. 5. Data Loss and Leakage: Loss of core intellectual property could cause financial or competitive misfortune. There is a general lack of granularity in the ability to monitor and control what is happening. 6. Account, Service & Traffic Hijacking: If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. 7. Unknown Risk Profile: The unknown risk. There is a lack of transparency on the part of service providers and customers often do not know the configuration of the systems or the patch levels of software on which their applications will be residing. 10

CSA recommends several prescriptive remediations for these threats including: Require transparency into overall information security and management practices, as well as compliance reporting. Promote strong authentication and access control for administrative access and operations. Prohibit the sharing of account credentials between users and services. Disclose applicable logs and data. Disclose partial/full details of infrastructure. Infrastructure transparency, well-managed administrator authentication, and controlled auditing will serve both Cloud providers and Cloud consumers equally well. The strategic road towards more secure and useful Clouds is being built now. Those who take a leadership role for both the supply and demand of a more secure and transparent Cloud will realize benefits for themselves and the industry. A mature and scalable solution for managing privileged identities answers the call for several Cloud security requirements. Bottom Line: Cloud architects and operators can help mitigate some threats and help achieve the remediations listed above by implementing a secure and scalable system to manage the privileged identities of all infrastructure components. Public Cloud providers and Private Cloud architects are responsible for implementing these and many other remediations to ensure the best environment for Cloud operations. Public Cloud providers can lower barriers to increased business from a large and growing demand for secure Cloud services. Private Cloud architects can enable their organization to fully exploit the advantages of Cloud computing without waiting for Cloud providers to fill the gap. Cloud consumers should expect and must demand appropriate security controls which include full scale management of privileged identities. 11

Privileged Accounts Privileged identities are accounts that hold elevated permission to access files, run programs, and change configuration settings. Privileged identities exist on almost all datacenter infrastructure components such as servers, routers, switches, firewalls, storage systems, etc.; and in programs and services such as databases, web services, backup software, scheduled tasks, scripts, etc. In Cloud computing environments, the administration of these privileged accounts becomes extremely important to the overall security architecture. Cloud providers have an opportunity to demonstrate leadership with proper management of this critical element and increase confidence with their clients and perhaps more importantly prospective clients. How Access to Privileged Identities Spreads Privileged identities are widespread in the IT infrastructure, since they are found from the iron on through to the application: on server and desktop operating systems, on network devices, and on applications and services. Unauthorized access to privileged account passwords on any physical or virtual resource can lead to a compromise of sensitive corporate data and disruptions to IT services. Without proper controls, access to an organization s privileged accounts spreads over time, often in unplanned ways. This happens as companies: Fail to change the pre-configured logins and service accounts that are introduced as they deploy new hardware and applications Delegate administrative duties across overlapping groups, change the roles of IT administrators, or contract IT jobs to outside personnel Fail to revoke all privileged accounts accessed by employees after their jobs change or employment ends Are breached by social engineering, dictionary attacks, or other means 12

Privileged Identities The Risks Because large organizations have thousands of privileged accounts in use throughout the IT infrastructure, it can be virtually impossible to manually track and update them all and everywhere they are in use. In the absence of automated processes, IT staff often follows one of these or similar procedures: Use the same common, unchanging password Use custom scripts and group policy changes Use /etc/passwd and rsync Use combinations of NIS, Kerberos (secret-key cryptography), sudo, GPG (a free replacement for PGP), etc. An organization that does not maintain frequently-changed, unique passwords for all of its privileged accounts faces the threat of unauthorized users and malicious programs compromising just one password and gaining unrestricted access to resources throughout the network. Former employees familiar with the privileged passwords at their previous organizations and malware that exploits common privileged account passwords pose a particular threat. Manual processes to change privileged account passwords also pose risks, since improperly implemented and incomplete password updates can result in account lockouts, cascading system failures, and extended IT service disruptions. The lack of adequate policies and practices to manage privileged accounts can make an organization unable to: Address its security risks by locating all potential privileged account vulnerabilities Protect its access by verifying that sensitive data is only accessible to authorized users Verify security by providing an audit trail of individuals who are granted access to sensitive data Reduce the potential for extended damage after a security breach exposes privileged credentials that can be re-used across independent IT assets Eliminate undesired system changes and service disruptions when privileged accounts are used for tasks that don t require them 13

Securing Privileged Identities Above and Below the Hypervisor Privileged identities exist in many components of a datacenter s architecture: beginning with the BIOS in the hardware, then up the stack through the host operating system, hypervisor, and guest operating systems; as well as in applications including databases, middleware, business applications, and web services. Every privileged identity in every host OS, guest OS, and application presents a potential security threat if unsecured. Figure 3: The Stack of Privileged Identities As mentioned earlier, IaaS providers are concerned with securing the identities below the hypervisor. The consumer client is responsible for securing the identities above the hypervisor. PaaS providers secure the exposed platform (not shown) and below. SaaS and Private Cloud providers are responsible for the entire stack. 14

The Limited Value of a SAS 70 Type II Audit Report Effective March 31, 1993, the Statement on Auditing Standards (SAS) No. 70, Service Organizations, developed by the American Institute of Certified Public Accountants (AICPA), is an authoritative auditing standard that provides guidance for auditors to consider when auditing financial statements of companies that use service organizations to process transactions. It also provides guidance for independent auditors who audit service organizations. Among other things, a SAS 70 Audit asserts the control objectives and control activities of a service organization are in line with the guidance in SAS No. 70. A Type I audit asserts the control objectives are met on a specific date or snapshot of time. A Type II audit asserts the control objectives are continuously met during a period of time - typically, 6 months or 1 year. SAS 70 Audits, however, lack standardization. An organization self-defines the objectives for their internal business controls. Examples of relevant internal business controls include account provisioning, data backup, patch management, disaster recovery. This means all SAS 70 certifications are probably different in some minor or substantial way. SAS 70 was intended to assist IT service providers offering services to known financial institutions. However, Cloud computing services offered to the public and unknown users present a different scenario. A SAS 70 Audit doesn t specifically address issues affecting Cloud-based services. Many Cloud providers state they have passed a recent SAS 70 Type II audit. However, the details of precisely HOW the controls are in place and maintained remain elusive. This concept is described as Security by Obscurity. While most Cloud providers have a vested interest in maintaining their own architecture s security as well as the security between and among their clients, they are reluctant to disclose such details for fear of divulging potential vulnerabilities. SAS 70 is a methodology for performing an audit. It does not include the audit rules. The company being audited authors their own control objectives - probably to their advantage. Moreover, if a provider s SAS 70 audit report is not available for review, it s impossible to vet the controls and control objectives and evaluate if they can satisfy a client s security requirements. 15

A Solution to Automate the Management of Privileged Credentials The technologies and practices used by Cloud providers are quite mature and well known. However, the complexity and scale of a large Cloud computing operation coupled with the ability to access the service from a variety of networks through APIs is relatively new. This presents several unknown and untested scenarios. The industry will continually refine its security practices, but until the current mixture of technologies, practices, access and scale are proven out, it makes good sense to take all precautions with high value data and applications. This applies to all types of Clouds: Private Clouds, Public Clouds, or Hybrid Clouds. Buy Versus Build (or Keep Building)? Identity and Access Management (IAM) frameworks from leading vendors like Microsoft, Oracle, IBM, Sun and others don t detect or control privileged identities. Most operations staff that want or need to manage a large number of privileged identities will resort to writing scripts to perform some level of automation. Enterprises or Cloud providers that want to scale their operations without incremental costs and overhead, should consider a fully supported solution with a professional development lifecycle. For Your Consideration: Enterprise Random Password Manager Enterprise Random Password Manger (ERPM) from Lieberman Software Corporation is a strategic automated Privileged Identity Management solution designed from an operational perspective to be exceptionally efficient and is suitable for most Cloud infrastructures. While the name includes Password, it does support authentication keys and hardware security modules (HSM) and is discussed later. It deploys easily and leads the market in automating and securing the complex Shared-Account problem every enterprise has and is under pressure to fix. ERPM helps organizations achieve compliance with SOX, HIPPA, PCI DSS and FISMA mandates by establishing and automating a comprehensive credential management process for privileged accounts. ERPM discovers, updates, stores, and enables secure recovery of the local, domain, and process account passwords in your Cloud infrastructure. It detects the locations where privileged account credentials are in use including physical and virtual operating systems, applications, databases, web services, tasks, and more. It then secures these credentials and propagates the changes to interdependent accounts. ERPM creates unique, complex passwords for each privileged account and changes them as often as your policies require. These unique credentials mitigate the threat of unauthorized peer-to-peer access and ensure the confidentiality of each privileged account password until an authorized user checks it out. 16

ERPM can support 100,000 s of systems including servers, virtual servers, databases, desktops, backup systems, network switches, firewalls and applications to support the largest Cloud deployments. ERPM supports SQL Server or Oracle databases for the ERPM data store leveraging existing monitoring and administration tools while retaining the benefits of in-house DBA expertise. Figure 4: The Stack of Privileged Identities Auditing Portal Transparency Adds Value The ability to show others your security practices and providing proper access to the details is a very powerful business capability. All ERPM actions and password access activities are audited and available through a sophisticated real-time monitoring and in-depth administrative reporting system. Compliance reporting allows for taking snapshots of all the relevant program data directly from the database and copying it to a separate reporting database in a structured way that preserves the operation specific data constraints. This allows an administrator or auditor a window to trace not only what the application did, but also the state of the system including access rights at specific times and changes made over time to both the environment of the application as well as the operations themselves. Cloud providers, Cloud consumers, and their respective auditors can each have their appropriate web-based views through a user and role-based portal login. Anyone can view the status and history of privileged access to any infrastructure component. 17

Hardware Encryption ERPM may be unique with its support for hardware encryption modules which off-load the encryption to an external hardware device. Hardware Security Module (HSM) technology has been utilized for years in the government, military, and intelligence industries to protect against the security flaws of conventional encryption software. Even keys which are encrypted, software debuggers can locate and access the encryption key, allowing critical data to be compromised. With an HSM, there is no record of keys stored in memory. Instead the keys are stored in a secure device, physically inside of a computer. ERPM can interface with any HSM developed by commercial third parties or the intelligence community when a PKCS#11 interface library is provided. 18

Benefits to Cloud Providers Protect against Insider Threats The threat from inside workers is nearly the same as that from outside intruders. While both insider threats and attacks from the outside have always existed, the quantity and quality of these attacks is on the rise. Sophisticated botnets running within a Cloud providers infrastructure are relatively harmless, but are likely to become more powerful. Some Cloud providers acknowledge they are changing their requirements for new employee background investigations. An automated, supported solution that reduces the need for trusting secrets to any personnel provides the best defense against such insider threats. Protect against Loss of Information Inadvertent or Intentional When IT personnel change jobs they can take with them the password secrets that grant access to sensitive data, permission to execute programs, and the ability to change configuration settings on virtually any piece of hardware or software. Many times, the system credentials are not changed during a staff turnover. Even with good security practices in place, inadvertent access to privileged credentials should be eliminated to ensure the best protection. To maintain security as your environment changes, implement these items into the process: Continuous Discovery. As the organization deploys new hardware and software applications, continuously discover and secure new privileged identities to eliminate security risks. Comprehensive Propagation. Secure and propagate the necessary credentials across interdependent accounts to prevent service disruptions and application lockouts which can occur when manual processes fail to account for the proliferation of embedded credentials. Strong Password Security. Implement robust, unique, frequently changing credentials to thwart malicious programs and unauthorized users attempts to gain access to computers and applications. Immediate User Recognition. Whenever the role of any staff member changes, a Role-Based Access Control system must immediately notify the privileged identity management system. 19

Audit and Generate Compliance Reports Current compliance reporting can be very time consuming and yet yield little benefit to the organization. A good solution will: Assist with Regulatory Compliance. Standards such as PCI DSS, Sarbanes-Oxley and HIPAA require the enforcement of privileged password security. Provide Comprehensive Audit Trails. Each time authorized IT staff requests privileged access for routine maintenance or emergency fire-call repairs, create an authoritative audit trail showing the requestor, target system and account, date and time, location, and purpose of the request. Deliver Efficient Compliance Reporting. Upon request, easily provide detailed reports proving your privileged accounts are secure. Facilitate Global Accessibility and Delegated Workflows Global remote access can be achieved through a secure web interface that gives authorized staff fast access to privileged account credentials for routine system maintenance or emergency, fire-call repairs. Delegated workflows save IT management time by providing fine-grain control over the individuals and roles that can either recover passwords or make case-by-case requests, with an option for RDP access so that contract and vendor personnel never see a password. Reduce Administration Overhead Allow your highly trained staff to move on to other higher-value projects and tasks. A good solution will lead to: Improved Staff Efficiency. When security policies require changes to privileged passwords, discover and change these credentials immediately. Fewer Service Disruptions. As integrated IT services expand, detect new application interdependencies and simultaneously deploy all changed credentials to avoid service disruptions and lockouts. Faster Emergency Access. No matter when authorized IT personnel need privileged access to perform routine tasks or emergency fire call repairs, grant the credentials securely only to authorized roles. 20

Enable Transparent Security Practices Since more consumers are asking for details on the security practices of the Cloud provider s operations, the Cloud provider can offer appropriate views into its security practices and audit logs without compromising the integrity of the overall security architecture. The solution is suitable for documenting in a Non-Disclosure Agreement between the Provider and Consumer on the Privileged Identity Management policies. This may attract and retain high value business relationships until other alternatives such as those proposed by CloudAudit are available. Increase Consumer Confidence ERPM is a best in class solution that has been implemented by US Federal Government agencies to support the Federal Information Security Management Act (FISMA). The Provider s SAS 70 Type II audit report may now have a stronger section on password/credential management. Private Managed Public Cloud BENEFITS TO CLOUD PROVIDERS Cloud or Hosted Cloud SaaS PaaS IaaS Protect against Insider Threats X X X X X Protect against Loss of Information - Inadvertent or Intentional X X X X X Audit and Generate Compliance Reports X X X X X Facilitate Global Accessibility and Delegated Workflows X X X X X Reduce Administration Overhead X X X X X Enable Transparent Security Practices N/A X X X X Increase Consumer Confidence N/A X X X X Table 2: Cloud Provider Benefits Summary 21

Benefits to Cloud Consumers To better protect highly sensitive information against internal and external threats, you should be able to closely examine how powerful privileged accounts are being monitored and controlled by your Cloud provider(s). You should expect them to have: Proven processes, procedures and technologies to automate adherence to the security policies Automated and continuous control of administrative privileges Time-limited access to privileged accounts Manage Privileged Accounts Securely As a consumer of public Cloud services, enterprise IT staff can leverage ERPM to maintain privileged identities within their own enterprise, their own private Cloud, their own managed or hosted Cloud, and those at IaaS or public Cloud providers. Document and Verify Controls and Objectives When ERPM is implemented and disclosed by a public Cloud provider, a consumer will know certain controls and control objectives are adequate to satisfy their various audited compliance reports. When ERPM is implemented by an enterprise, they can extend the capability to manage virtual systems at public Cloud providers. View Access Logs A secure web interface gives authorized personnel access to audit logs to know if anyone has had access to systems that have been processing consumer data regardless of where the system is located or hosted. Private Managed Public Cloud BENEFITS TO CLOUD CONSUMERS Cloud or Hosted Cloud SaaS PaaS IaaS Manage Privileged Accounts Securely X X X X X Document and Verify Controls and Objectives X X X X X View Access Logs X X X X X Table 3: Cloud Consumer Benefits 22

Looking Forward The efforts by the CloudAudit group may help make a Cloud provider s infrastructure operations more transparent. The goal of CloudAudit (codename: A6) is to provide a common interface that allows Cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. Additionally, the CSA provides remediation suggestions to address various domains of security for Cloud computing and is good prescriptive advice for Cloud architects worldwide. The CSA will continue to refine and add additional findings and recommendations as their research proceeds. A solution such as ERPM from Lieberman Software which has a long roadmap, viable development, and support resources can substantially increase the security of any large deployment of IT assets. Additional functions and features will be added to the product as Cloud provider security models and practices mature. Next Steps Cloud consumers are asking, How do I know my data is being protected by this Cloud service? They want assurance that their data is well protected, and they need to be able to demonstrate tangible Cloud security practices to their auditors and upper management. Moreover, all interested parties should have access to continuous audit logs. Cloud providers should examine and evaluate a solution such as ERPM to help secure their architecture and gain further confidence from consumers. This will lead to additional value in their existing services and incremental business. Private Cloud architects should plan a pilot project to integrate ERPM into their architectures as a proven solution to manage privileged identities. The technology exists now to secure the BIOS, Host OS, VM, Guest OS, Applications, and more. In addition to computing resources, other infrastructure components such as switches, routers, KVMs, remote access devices, etc. can be equally secured with current technology. All Cloud providers (Private and Public) have the opportunity to take a leadership position by implementing such technology. Based in Los Angeles, CA, Lieberman Software is a mature, profitable company with over 900 enterprise customers including major well-known telecommunications, financial, high tech, and defense companies. 23

About the Author Steve Staso is the President of Field and Wave Solutions, an independent consulting organization that enables clients to gain a competitive advantage with Cloud computing, web, and internet technologies. Steve is known as a strategic thinker and high level communicator. Equally familiar with the business drivers of both enterprises and startups, he applies best practices from both types of organizations to help solve complex business challenges using leading edge information technology. Follow Steve on Twitter and his Blog at http://stevestaso.com/ References SAS70: American Institute of Certified Public Accountants: http://www.aicpa.org/professional+resources/accounting+and+auditing/ Authoritative+Standards/auditing_standards.htm SAS70: http://www.sas70.com/ SAS70: http://cloudscaling.com/blog/cloud-computing/why-amazons-sas70-is-bogus SAS70: AU 324 http://www.aicpa.org/download/members/div/auditstd/au-00324.pdf NIST: http://csrc.nist.gov/groups/sns/cloud-computing/index.html OpenCrowd Cloud Computing Landscape (Used with Permission) http://www.opencrowd.com/views/cloud.php Security Guidance for Critical Areas of Focus In Cloud Computing V2.1, Cloud Security Alliance: http://www.cloudsecurityalliance.org/csaguide.pdf Cloud Computing Security Risk Assessment by European Network and information Security Agency (ENISA): http://www.enisa.europa.eu/ Top Threats to Cloud Computing Version 1.0 (2010), Cloud Security Alliance: http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf CloudAudit: http://www.cloudaudit.org/ The Top 150 Players in Cloud Computing: http://cloudcomputing.sys-con.com/node/770174 Lieberman Software Privileged Identity Management: http://liebsoft.com/privileged_identity_management/ Lieberman Software Enterprise Random Password Manager: http://www.liebsoft.com/erpm Lieberman Software: Managing Privileged Identities in the Cloud: http://liebsoft.com/managing_privileged_identities_in_the_cloud/ 24