CLOUD SECURITY AND COMPLIANCE: A PRIMER

Interested in learning more about security?

SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Cloud Security and Compliance: A Primer

Copyright SANS Institute Author Retains Full Rights

Sponsored by Catbird & McAfee

Cloud Security and Compliance: A Primer A SANS Whitepaper – August 2010 Written by Dave Shackleford

Compliance in the Cloud Deployment and Delivery Models Mobility of Resources Who Sees What Data (And How Do You Know)? Identity and Access Management Data Protection Incident Response, Audit and Assessment

Introduction Organizations are moving towards cloud technologies for scalability, cost reduction, and new service offerings. But what, exactly, is the cloud? NIST (the National Institute of Standards) defines five key characteristics of cloud services, including broad network access, resource pooling, rapid elasticity (provisioning/deprovisioning), on-demand self-service, and others.1 With their virtual back-ends, clouds are dynamic. Data, applications, and users are moving around between internal and external clouds for different uses. For example, an organization may use Google Apps for its corporate email, while their human resources and customer applications are restricted to internally developed and managed clouds. Ultimately, according to a January 2010 article in SCMagazine, internally developed clouds will be handed over to service providers for ongoing support.2 Tackling all security and compliance issues that come up in this dynamic environment seems daunting unless you boil the issues down to four problem areas that apply to all forms of cloud computing. These include: • Mobility and multi-tenancy • Identity and access management • Data protection • Incident response and assessment To help organizations get started with their cloud programs, SANS has created this quick guide to address these control areas, which are unique to cloud computing.

1 2

http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc www.scmagazineus.com/cloud-shift-weighing-the-risks-and-benefitsof-a-new-technology/article/159960/

SANS Analyst Program

1


Compliance in the Cloud One distinction to make is the difference between achieving compliance and measuring compliance. Cloud customers will need assurance and proof that providers have controls in place, much like traditional hosting providers have had to provide for years now. The same is true for organizations building their own clouds in order to satisfy their own audits. Most auditors don’t understand virtualization or cloud computing particularly well, which complicates the issue further. Cloud providers are issuing or planning to issue SAS 70 type II audit reports of control efficacy within their cloud environments, but most security and compliance professionals feel this is inadequate. These audits are largely self-defined and may also be ambiguous with regard to the controls audited and how they perform. ISO 27001/27002, which provides a more structured framework of best practices in many areas, is a better standard to adhere to. Another good resource is the SANS guide for auditors of virtualized environments.3 The Cloud Security Alliance, along with numerous other virtualization and cloud security experts, have called for cloud providers to adopt the ISO 27001/27002 standards for auditing and reporting on the state of controls within the cloud environment. Additional projects, such as CloudAudit, have cropped up to address these shortcomings as well. CloudAudit espouses a methodology called A6 (Automated Audit, Assertion, Assessment and Assurance API), which could lead to a more thorough, open audit mechanism for cloud providers to adopt.4 Because cloud computing heavily leverages virtualization technologies, a variety of fairly mature virtualization security and compliance guides are also helpful. VMware has released several guides explaining how to configure Virtual Infrastructure 3 and vSphere securely.5 Several other well-known guides have been released from organizations such as the Defense Information Systems Agency (DISA)6 and Center for Internet Security (CIS).7 Indeed, to help organizations utilize these guides, SANS published a Guide to Virtualization Hardening Guidelines in June 2010.8

3

www.sans.org/reading_room/analysts_program/VMware_ITAudit_Sep09.pdf http://cloudaudit.org/ 5 http://communities.vmware.com/docs/DOC-12306 6 http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf 7 www.cisecurity.org/tools2/vm/CIS_VMware_ESX_Server_3.5_Benchmark_v1.2.0.pdf 8 www.sans.org/reading_room/analysts_program/vmware-guide-may-2010.pdf 4


2


Deployment and Delivery Models In order to secure and make cloud computing compliant, organizations first need to understand the types of cloud computing they may be using to support their objectives. Three common service delivery models include: • Software-as-a-Service (SaaS). A SaaS model provides pre-installed software to customers who don’t want to manage their applications and infrastructures. Examples include Salesforce.com and Google Apps, who handle system, application, and data management for their customers. • Platform-as-a-Service (PaaS). A PaaS model usually consists of a hosted development environment, including application programming interfaces (APIs) and various operating platforms such as Windows or Linux (available in different configurations), and others. Organizations have more granular control over applications and data placed in the cloud, including controls for security and compliance.9 • Infrastructure-as-a-Service (IaaS). For even better segmentation and control over their own applications, customers can lease an actual physical system or a combination of hardware and software services from providers like Rackspace, GoGrid, and Terremark. In most cases, the customer installs and maintains operating systems and applications, as well as any security components desired. Any of these service models can then be deployed in a number of ways. The most common deployment models described by the Cloud Security Alliance (CSA) include:10 • Public: Available to anyone via the Internet, associated with a cloud service provider like Amazon EC2. • Private: Internally developed clouds, provisioned internally or provisioned by a third party service provider such as Amazon.com, but only available to a single organization. • Community: A cloud shared by multiple organizations with a common purpose or community. An example would be Google’s “Gov Cloud,” a specially allocated cloud environment that Google uses to offer services to government entities. • Hybrid: A combination of two or more of the three types mentioned, with possible data and/ or application integration between them. An organization could, for example, use its internal cloud for specific business department uses (such as HR) and use Google to manage their email applications. The combination of service models, coupled with the combination of deployment models, can create a large number of variables in how security and compliance are carried out. However, some common concerns apply to all models, particularly around mobility of assets, access, data protection, and incident response, which we cover in the following sections.

9

www.rationalsurvivability.com/presentations/Hoff-Frogs-Source.pdf www.cloudsecurityalliance.org/csaguide.pdf

10


3


Mobility of Resources With assets moving around between clouds, identifying and setting policies around critical data and applications are critical first steps in any cloud security policy. Policies should be specialized and should meet consumers’ resource, compliance, and security needs. Policies also need to move with data and resources as they migrate, which creates new challenges in maintaining security and compliance. Critical and regulated data may be moving throughout the cloud from one infrastructure platform to another, or even within the same hardware platform. Figure 1 illustrates this concept.

Figure 1: Policy Migration with Cloud Asset Movement


4


A more pressing issue may be a lack of understanding or focus on cloud policy in general. In an SCMagazine article from April 2010, only 20 percent of respondents to a survey indicated that security teams are involved in decision-making for cloud computing.11 If security teams don’t step in and become involved in these new IT projects, they’ll be developing policies after the fact—quite often after failure or exploit. Practitioners are better off finding out what cloud projects are being considered, and then enabling organizations by ensuring security, compliance and reporting needs are met and managed. Security and compliance teams now need to consider: • The cloud provider systems and staff • Data classification and lifecycle management in dynamic, multi-tenant environments • Compliance and audit of data and access to critical data and systems that are mostly virtual and dynamically moving between public and/or private clouds These points are discussed in more detail in the next section.

11

www.scmagazineus.com/most-organizations-falling-short-on-cloudsecurity-policies/article/167415/


5


Who Sees What Data (And How Do You Know)? In cloud environments, multiple parties’ data and services may exist on a single physical platform running virtual services for its customers. This creates several problems for security, compliance and audit, including: • Limited ability to control data and applications • Limited knowledge and no visibility into the degree of segmentation and security controls between those collocated virtual resources • Audit and control of data in the public cloud with no visibility into the provider’s systems and controls Even in a private cloud that is privately managed, multi-tenancy is enacted at many layers, including storage, application, database, operating platform and hypervisor-based infrastructure. In other words, shared hosts, data centers and networks can potentially exist between the same and different organizations or internal business units. As such, it is critical that network segmentation is created securely with the ability to monitor any anomalies that may occur across virtual network boundaries. Figure 2 demonstrates the simplest example of system segmentation and access control concerns within a virtual multi-tenant cloud environment.

Figure 2: Multi-tenant Isolation in a Cloud Network


6


The question in a public cloud service is how can the provider prove secure segmentation? Popular Web services claim to offer hypervisor-based isolation. Amazon EC2, for example, makes use of a customized Xen hypervisor, and firewalling capabilities are built into this layer. Amazon claims that this provides adequate separation between EC2 virtual instances.12 In addition, new “virtualization-aware” products are available that introduce firewall and network access control capabilities into virtual infrastructures supporting most clouds. These provide organizations building private clouds more effective means to segregate virtual assets that reside on the same physical host by implementing security boundaries or zones. Zones are used to limit data exposure and interaction between virtual systems and data. In their book, Cloud Security and Privacy, Mather, Kumaraswamy and Latif describe the concept of the security “domain.” In this model, domains include logical separation between ‘tiers’ (zones), but with reduced precision and security protection than zones offer.13

12 13

http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf Mather, Kumaraswamy, & Latif (2009). “Cloud Security and Privacy,” Mountain View, CA: O’Reilly, p. 42.


7


Identity and Access Management Identity management, including user provisioning and de-provisioning, is challenging to implement and manage in a virtualized environment where resources are dynamic and mobile. Federation, or the sharing of user credentials between entities in federated networks, is one way to expand access across multiple clouds and back-end virtual infrastructures. A good example is in federated communities of users sharing some access for a common need, such as a business partner network. However, there’s still a lot of rethinking to do when it comes to identity and access control in cloud environments. Each cloud provider has different authentication options available, which are limited by the type of service delivery model being implemented. In a public SaaS model, consumers must accept the types of authentication offered by the provider, so customization of account profiles and strong authentication types (such as digital certificates) may not be supported. PaaS and IaaS models offer varying degrees of control. For example, a customer can install and manage a services component that may tie back in to the organization’s own infrastructures. Other models allow for a hybrid approach that involves provider-based technology with more granular customer management customization of user profiles. Figure 3 illustrates what this may look like at a high level.


8


As you can see from the figure to the right, authorization—or what resources an individual can use, for what purposes, and under what circumstances—is another critical function that must accompany access into the cloud. Taking allocation to an acceptable level of granularity is another key concern with cloud computing. A robust Identity and Access Management (IAM) implementation will encompass fine-grained privilege allocation and definition, using standard concepts like Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs). Unfortunately, most public cloud services do not support such detailed role definition and provisioning or fine-grained authorization decisions. Public and private cloud developers are working with some other well-defined authentication stanFigure 3: Authentication and Authorization in the Public Cloud dards, such as the Security Assertion Markup Language (SAML) and OpenID (a centralized authentication and authorization service used by Google, Verisign and others). Some cloud providers are also adding innovative features for more extensive authentication and authorization. For example, Amazon now offers AWS Multi-Factor Authentication (MFA), a custom version of standard hardware token one-time-use authentication.14 Amazon also offers a key rotation feature that allows customers to rotate access keys and certificates frequently, a critical security best practice.15 Microsoft’s SQL Azure service, on the other hand, still leverages traditional account creation and storage within its SQL instances. The more general Windows Azure platform, though, employs Microsoft’s proprietary “Web Role” and “Worker Role” instances, which can leverage existing ASP.NET frameworks and other technologies for access control and authorization.16 By supporting these standards and services, cloud environments (both public and private) can be made more IAM-friendly, easing integration with PEPs and PDPs between multiple network environments. 14

http://aws.amazon.com/mfa http://aws-portal.amazon.com/gp/aws/developer/account/index.html?action=access-key 16 http://go.microsoft.com/fwlink/?LinkId=158011 15


9


Data Protection Most public cloud providers have features that can restrict access to resources, but few (if any) are truly content-aware. For example, Amazon EC2 allows network and resource access controls to be created with Security Groups. Their storage platform, S3, now has multiple methods of protecting data. So, in addition to digitally-signed custom URL creation and more standard access controls lists for granting read/write and other basic permissions, they now have a concept called Bucket Policies.17 Bucket policies enable more broad and multi-level access controls around S3 containers. However, even these controls do not have context for the data they contain, nor do they have custom and specific policies that can identify the data as it traverses the cloud environment logically or even geographically. As such, no true data leakage detection and prevention is occurring in public clouds right now. For privately owned and managed clouds, Data Loss Prevention (DLP) tools can be implemented much more easily because one organization owns and controls the cloud environment. The challenges with implementing DLP in private clouds are largely operational. This is because data moves around more fluidly and dynamically in the private cloud infrastructure, and tracking the data will be more involved. Categorizing and fingerprinting data types are largely the same, however, and monitoring can be accomplished both within the virtual infrastructure supporting these clouds, and at intersection points between virtual and physical networks.

17

http://aws.typepad.com/aws/2010/07/amazon-s3-bucket-policiesanother-way-to-protect-your-content.html


10


Incident Response, Audit and Assessment Incident response in cloud environments requires sound infrastructure management coupled with robust monitoring and alerting. For internal clouds, organizations need to have strong management capabilities and visibility into their systems. Virtualization tools enable organizations to run their infrastructures and setup their own monitoring. Some of these tools include virtualization-specific log management, and intrusion detection, security event management, anti-malware and quarantine capabilities (including Network Access Control, or NAC). However, in the case of public clouds, how does a customer know how their provider monitors and stores audit and assessment data? How does the provider separate that data from other customers’ event and assessment data? Cloud providers, by their nature, are custodians for far more data and must make use of management and security tools designed for safeguarding virtualized systems within their clouds. When negotiating contracts with public cloud providers, customers must do their homework on the vendors. The should also define specific monitoring, alerting and response policies and triggers and incorporate them into service contracts. Be sure to indicate when the service provider alerts the client and based on what specific events, and what detail they must provide for investigations. This policy will be similar to policies you already incorporate internally; however policies will need to take into account the multi-tenancy and mobility issues associated with cloud application usage.


11


Conclusion As more organizations leverage cloud computing for applications, platforms and data storage, the need to ensure adequate security is paramount. Larger issues loom around user access and resources moving in and between private and public clouds, as well as around multi-tenancy and incident response. Cloud developers and service providers need to follow standards and controls in the areas of identity and access management, particularly around Federated Identity types, as well as standards for developing audit and compliance controls. Organizations using public clouds for processing critical data need assurance that key controls for data protection, and enforcement of least privilege and data segmentation are in place. Organizations building their own private clouds need the same assurances within their own environments, as well. Any policies they develop for their private clouds should ultimately be portable enough to migrate with the data into the public cloud, as well.


12


About the Author Senior SANS Analyst, Dave Shackleford, is director of security assessments and risk and compliance at Sword & Shield Enterprise Security, a SANS instructor and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He has worked as chief security officer for Configuresoft, chief technology officer for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.


13


SANS would like to thank this paper’s sponsors

and


14


Last Updated: May 19th, 2018

Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Amsterdam May 2018

Amsterdam, NL

May 28, 2018 - Jun 02, 2018

Live Event

SANS Atlanta 2018

Atlanta, GAUS

May 29, 2018 - Jun 03, 2018

Live Event

SANS London June 2018

London, GB

Jun 04, 2018 - Jun 12, 2018

Live Event

SEC487: Open-Source Intel Beta Two

Denver, COUS

Jun 04, 2018 - Jun 09, 2018

Live Event

SANS Rocky Mountain 2018

Denver, COUS

Jun 04, 2018 - Jun 09, 2018

Live Event

DFIR Summit & Training 2018

Austin, TXUS

Jun 07, 2018 - Jun 14, 2018

Live Event

Cloud INsecurity Summit - Washington DC

Crystal City, VAUS

Jun 08, 2018 - Jun 08, 2018

Live Event

SANS Milan June 2018

Milan, IT

Jun 11, 2018 - Jun 16, 2018

Live Event

Cloud INsecurity Summit - Austin

Austin, TXUS

Jun 11, 2018 - Jun 11, 2018

Live Event

SANS Philippines 2018

Manila, PH

Jun 18, 2018 - Jun 23, 2018

Live Event

SANS Cyber Defence Japan 2018

Tokyo, JP

Jun 18, 2018 - Jun 30, 2018

Live Event

SANS Oslo June 2018

Oslo, NO

Jun 18, 2018 - Jun 23, 2018

Live Event

SANS Crystal City 2018

Arlington, VAUS

Jun 18, 2018 - Jun 23, 2018

Live Event

SANS ICS Europe Summit and Training 2018

Munich, DE

Jun 18, 2018 - Jun 23, 2018

Live Event

SANS Paris June 2018

Paris, FR

Jun 25, 2018 - Jun 30, 2018

Live Event

SANS Cyber Defence Canberra 2018

Canberra, AU

Jun 25, 2018 - Jul 07, 2018

Live Event

SANS Vancouver 2018

Vancouver, BCCA

Jun 25, 2018 - Jun 30, 2018

Live Event

SANS Minneapolis 2018

Minneapolis, MNUS

Jun 25, 2018 - Jun 30, 2018

Live Event

SANS London July 2018

London, GB

Jul 02, 2018 - Jul 07, 2018

Live Event

SANS Charlotte 2018

Charlotte, NCUS

Jul 09, 2018 - Jul 14, 2018

Live Event

SANS Cyber Defence Singapore 2018

Singapore, SG

Jul 09, 2018 - Jul 14, 2018

Live Event

SANSFIRE 2018

Washington, DCUS

Jul 14, 2018 - Jul 21, 2018

Live Event

SANS Cyber Defence Bangalore 2018

Bangalore, IN

Jul 16, 2018 - Jul 28, 2018

Live Event

SANS Malaysia 2018

Kuala Lumpur, MY

Jul 16, 2018 - Jul 21, 2018

Live Event

SANS Pen Test Berlin 2018

Berlin, DE

Jul 23, 2018 - Jul 28, 2018

Live Event

SANS Riyadh July 2018

Riyadh, SA

Jul 28, 2018 - Aug 02, 2018

Live Event

Security Operations Summit & Training 2018

New Orleans, LAUS

Jul 30, 2018 - Aug 06, 2018

Live Event

SANS Pittsburgh 2018

Pittsburgh, PAUS

Jul 30, 2018 - Aug 04, 2018

Live Event

SANS August Sydney 2018

Sydney, AU

Aug 06, 2018 - Aug 25, 2018

Live Event

SANS San Antonio 2018

San Antonio, TXUS

Aug 06, 2018 - Aug 11, 2018

Live Event

SANS Boston Summer 2018

Boston, MAUS

Aug 06, 2018 - Aug 11, 2018

Live Event

Security Awareness Summit & Training 2018

Charleston, SCUS

Aug 06, 2018 - Aug 15, 2018

Live Event

SANS Northern VA Reston Spring 2018

OnlineVAUS

May 20, 2018 - May 25, 2018

Live Event

SANS OnDemand

Books & MP3s OnlyUS

Anytime

Self Paced

CLOUD SECURITY AND COMPLIANCE: A PRIMER

Recommend Documents