WIXLIB

12/15/2014Issues and Standards in Cloud SecurityIssues and Standards in Cloud SecurityHarit Mehta, harit.mehta (at) go.wustl.edu (A paper written under the guidance of Prof. Raj Jain)DownloadAbstractCloud computing has been one of the most important innovations in recent years providing cheap, virtual services that a few years ago demanded expensive, localhardware. Most business organizations are currently using cloud to handle multitudes of business operations. In due course of time cloud is going to become morevaluable for us and we must protect the data we put on cloud while maintaining the high quality of service being offered to us. Fears over cloud security persist withhackers obtaining user information available online for notorious purposes. In the current scenario we tend to place a lot of data in the cloud, but what do we reallyknow about its security? This paper discusses in detail various issues that arise in cloud security with respect to both customers and service providers. Variousstandards that define the aspects of cloud security related to safety of the data in the cloud and securely placing the data on the cloud are discussed. It further talksabout a standard yet to be released and how it would impact once it is in the market.Keywords : Cloud, Computing, Cloud Service Provider, Cloud Service Customer, Cloud Standards, Cloud Security, Security Threats, Information TechnologyInfrastructure Library (ITIL), Open Virtualization Format (OVF), ITU T X.1601, PCI DSS, ISO/IEC 27017.Table of contents1. Introduction2. Major threats and vulnerabilities2.1 Security considerations2.2 Threats for service providers2.3 Threats for service customers3. Governance, Regulation and Compliance Concerns3.1 Visibility and Compliance3.2 Storage, Retention and Destruction3.3 Audit, Monitoring and Data Portability3.4 Privacy Breaches and Law Violation3.5 Government or Organizational Regulations4. Cloud Security Standards4.1 Information Technology Infrastructure Library (ITIL)4.2 Open Virtualization Format4.3 ITU T X.16014.4 PCI DSS4.5 ISO/IEC 27017 Code of practice for information security controls5. Conclusion6. References7. Acronyms1. IntroductionCloud computing has seen quite rapid and significant growth in the last few years. The term "Cloud computing" came into existence to define the change that occurswhen applications and services are moved into the Internet "cloud". Cloud computing is a huge shift from the client server model to a model that provides faster andlocation independent service [Dialogic].Many companies as of now have started delivering services from the cloud. Notable examples are:Google has a private cloud. It is used for delivering many different services to its users. These include email access, document applications, text translations,maps, and much more.Microsoft has "Sharepoint". It allows for content and business intelligence tools to be moved into the cloud. Microsoft currently also makes its officeapplications available in a cloud.Salesforce.com runs its application set for its customers in a cloud, and its Force.com and Vmforce.com products provide developers with platforms to buildcustomized cloud services.Some important features of cloud computing include agility, device independence, location independence, reduced cost, reliability, scalability, resource sharingand security [Michael10]. The primary function of a cloud however, is to provide service. These services fall into the following categories:Infrastructure as a Service (IaaS) : It is possible for the users to now buy infrastructure on the cloud. The software product a user purchases is nowsomething that the user owns in the cloud. You are now running a virtual server on a virtual disk instead of running a virtual server locally on your equipment. Anexample is Amazon Web Services [Michael10].Platform as a Service (PaaS) : The service provider in this model provides a platform for use. The services provided therein include all phases of theSoftware Development Life Cycle (SDLC). The model makes it feasible to use application program interfaces (APIs), website portals, or gateway software.http://www.cse.wustl.edu/ jain/cse571 14/ftp/cloud security/index.html1/8

12/15/2014Issues and Standards in Cloud SecurityAn example of such a model is PaaS in Google Apps [Michael10].Software as a Service (SaaS) : This model provides services to the end user. It has the finished software, which is available for use by the end user. SaaSis designed to provide the application and the platform. The software service provided to the user is on a lease for a particular time period. The service can beprovided to the end user through some type of front end or web portal. Salesforce.com is one of the examples that offer this type of service [Michael10].Thus, in today's world cloud computing is gaining huge importance and is expected to have a huge impact on how things are designed and used in the Internet.An important aspect of moving everything into the cloud is to keep everything safe and secure. It is important that everything we put on the cloud does not fall intomalicious hands. In this paper we delve into the details of security aspects of cloud computing and the paper is divided into the following sections. Section 2 talksabout the major threats and vulnerabilities the cloud faces. Section 3 of our paper discusses in detail the various Governance measures required to stem these issues.Section 4 talks about various industrial standards that have already been published covering security issues in cloud. In this section we also touch upon a new standardthat will be published in 2015 for general use. Finally we present our conclusions from the discussion and the way ahead.2. Major threats and vulnerabilitiesIn this section we first introduce the basic security considerations for the cloud security. Next we discuss the threats that are specific to cloud service providers (CSP)and cloud service customers (CSC).2.1 Security considerationsThere are several security issues and threats in the cloud and they can be categorized based on the security area that is under attack. Below, we discuss some of thesein detail.Privacy : Privacy is one of the more pressing issues, to the cloud and to the network security in general. It is one important aspect that must be of absolute assuranceto the CSC. Privacy ensures that data, personal information and identity of a CSC must not be revealed to unauthorized users. How is the data stored within thecloud? Is it encrypted so that even the administrator can not see it without the decryption key? The encryption and decryption keys are usually present with the clientand hence the CSP should not be able to look at data in the clear. Are there multiple copies of the keys? Are there multiple copies of the data that is stored? CSC hasto take into account all these factors when choosing a CSP. Privacy has another threat the insider threat. An CSP insider could easily access personal data of CSCs,if the encryption keys were available to the CSP, the stored data was not encrypted or if the data was stored in multiple locations. From the perspective of a CSP, theCSCs may be able to sue them if their privacy rights are violated. Here, private information is personally identifiable information, credit card details, religion, sexualorientation, health records etc. [Hocenski10, Shahed09, Wiki].Confidentiality : Confidentiality is the second most important aspect of security. It is essential that CSPs maintain all data of a CSC confidential from other users, asit moves between the communication channels. There must be end to end encryption (secure encrypted channels), client and server authentication and no dataleakage. A cross VM side channel attack could compromise the confidentiality of a system.Integrity : Integrity means that no data should be modified when it is transferred from source to destination. Ensuring the integrity of the data (transfer, storage, andretrieval) really means that just the data is changed only in response to authorized transactions.Data Protection : A cloud has vast storage space. It stores huge amount of data and information. It is therefore necessary for the CSPs to ensure that data privacy ismaintained. Data isolation amongst users is important. Each CSC must have a separate address space and memory regions so that they do not access data oraddresses that they should not be accessing. This isolation is usually ensured by assigning each CSC with a dedicated virtual machine [Hocenski10, Shahed09, Wiki].Identity Management : An identity management system controls access to data and information. Organizations tend to have their own identity management system.Cloud systems could integrate the CSC's identity management system with what they have. Identity management is important in authentication, authorization andaccess control. CSCs assume that the service providers provide the "principle of least privilege" to their data. The principle of least privilege states that only theminimum access necessary to perform an operation should be granted, and that access should be granted only for the minimum amount of time necessary[Hocenski10, Wiki].Availability : Availability is an important part of any system. Availability is lost when there is a denial of service attack launched on a service. All services provided bythe cloud must be available at all times. CSCs must have regular and predictable access to their data and applications [Shahed09, Wiki].Application Security : With PaaS, CSCs can design their own applications on the platform in the cloud. These applications must be tested and verified by the CSP,before being made available for other users. In the absence of this, an attacker can create a malicious application, self sign the application and put it up on the cloudfor naive users to use them. Application security also involves an application firewall for monitoring inbound and outbound traffic to the cloud.Compatibility : Storage services provided by one vendor may not be compatible with those provided by another vendor. It is important for CSPs to designplatforms in such a way that the applications or software built over them is portable to be run on and be stored on other cloud infrastructures [Hocenski10, Shahed09,Wiki].Data Retention : Ideally, there should be no data retention by the CSP after a legitimate request for destroying data comes from the CSC. However, if there are nomultiple copies of data, then an attacker that has hijacked a session or gained privileged access, could request for the data to be destroyed and all data will be lost[Hocenski10, Wiki].Data Security : Enterprises that use cloud services must be sure that their data is protected wherever it goes. Enterprise can also press for encrypting its data andallow only authorized people to access the data. For example, an enterprise may decide that its data should not be available outside its organization and may allowonly specific officials access the data.http://www.cse.wustl.edu/ jain/cse571 14/ftp/cloud security/index.html2/8