Beruflich Dokumente
Kultur Dokumente
August,2012
Contents
Acknowledgements....................................................................................................................................... 4 WorkgroupLeaders................................................................................................................................... 4 KeyContributors ....................................................................................................................................... 4 Reviewers.................................................................................................................................................. 4 Introduction .................................................................................................................................................. 5 CloudSecurityLandscape ............................................................................................................................. 5 CloudSecurityGuidance ............................................................................................................................... 7 Step1:Ensureeffectivegovernance,riskandcomplianceprocessesexist ............................................. 8 Step2:Auditoperational&businessprocesses..................................................................................... 11 Step3:Managepeople,rolesandidentities .......................................................................................... 13 Step4:Ensureproperprotectionofdataandinformation.................................................................... 15 Step5:Enforceprivacypolicies .............................................................................................................. 18 Step6:Assessthesecurityprovisionsforcloudapplications................................................................. 19 Step7:Ensurecloudnetworksandconnectionsaresecure .................................................................. 21 Step8:Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities ........................................... 25 Step9:ManagesecuritytermsinthecloudSLA .................................................................................... 26 Step10:Understandthesecurityrequirementsoftheexitprocess...................................................... 28 CloudSecurityAssessment ......................................................................................................................... 28 AdditionalReferences................................................................................................................................. 31 AppendixA:WorldwidePrivacyRegulations.............................................................................................. 32 AppendixB:Acronyms&Abbreviations ..................................................................................................... 34
Copyright2012CloudStandardsCustomerCouncil
Page2
Copyright2012CloudStandardsCustomerCouncil
Page3
Acknowledgements
TheSecurityforCloudComputing:10StepstoEnsureSuccessdocumentisacollaborativeeffortthat bringstogetherdiversecustomerfocusedexperiencesandperspectivesintoasingleguideforITand businessleaderswhoareconsideringadoptingcloudcomputing.Thefollowingparticipantshave providedtheirexpertiseandtimetothiseffort.
WorkgroupLeaders
RyanKean(TheKrogerCo.)Workgroupchair;ApplicationSectionLeader DavidHarris(Boeing)Workgroupchair;CloudSecurityAssessmentSectionLeader JohnMeegan(IBM)LeadTechnicalEditor;IntroductionandSLASectionLeader BarryPardee(TailwindAssociates)CurrentLandscapeSectionLeader YvesLeRoux(CATechnologies)GRCSectionLeader ChrisDotson(IBM)Network&ConnectionsSectionLeader EricCohen(PricewaterhouseCoopers)AuditingSectionLeader MikeEdwards(IBM)DataSectionleader;InfrastructureSectionLeader;ExitProcessSectionLeader JonathanGershater(TrendMicro)People,Roles&IdentitySectionLeader
KeyContributors
Theworkgroupleaderswishtorecognizethefollowingindividualsfortheiroutstandingeffortsto providecontent,sharetheirexpertiseandensurecompletenessofthewhitepaper:MattRutkowski (IBM),ShamunMahmud(DLTSolutions).
Reviewers
Thefollowingreviewersprovidedfeedbackonthewhitepaper:KeithTrippie(DepartmentofHomeland Security),MichaelChen(ClusterTechnologyLimited),JefferyFinke(TheMITRECorporation),Dave Russell(IBM),AndrewLow(IBM).
Copyright2012CloudStandardsCustomerCouncil
Page4
Introduction
Theaimofthisguideistoprovideapracticalreferencetohelpenterpriseinformationtechnology(IT) andbusinessdecisionmakersastheyanalyzeandconsiderthesecurityimplicationsofcloudcomputing ontheirbusiness.Thepaperincludesalistofsteps,alongwithguidanceandstrategies,designedto helpthesedecisionmakersevaluateandcomparesecurityofferingsinkeyareasfromdifferentcloud providers. Whenconsideringamovetousecloudcomputing,consumersmusthaveaclearunderstandingof potentialsecuritybenefitsandrisksassociatedwithcloudcomputing,andsetrealisticexpectationswith theircloudprovider.Considerationmustbegiventothedifferentmodelsofservicedelivery: InfrastructureasaService(IaaS),PlatformasaService(PaaS)andSoftwareasaService(SaaS)aseach modelbringsdifferentsecurityrequirementsandresponsibilities.Additionally,thispaperhighlightsthe rolethatstandardsplaytoimprovecloudsecurityandalsoidentifiesareaswherefuturestandardization couldbeeffective. ThesectiontitledCurrentCloudSecurityLandscapeprovidesanoverviewofthesecurityandprivacy challengespertinenttocloudcomputingandpointsoutconsiderationsthatorganizationsshould weighwhenoutsourcingdata,applications,andinfrastructuretoacloudcomputingenvironment. ThesectiontitledCloudSecurityGuidanceistheheartoftheguideandincludesthestepsthatcanbe usedasabasisforevaluationofcloudprovidersecurity.Itdiscussesthethreats,technologyrisks,and safeguardsforcloudcomputingenvironments,andprovidestheinsightneededtomakeinformedIT decisionsontheirtreatment.Althoughguidanceisprovided,eachorganizationmustperformitsown analysisofitsneeds,andassess,select,engage,andoverseethecloudservicesthatcanbestfulfillthose needs. ThesectiontitledCloudSecurityAssessmentprovidesconsumerswithanefficientmethodof assessingthesecuritycapabilitiesofcloudprovidersandassessingtheirindividualrisk.Aquestionnaire forconsumerstoconducttheirownassessmentacrosseachofthecriticalsecuritydomainsisprovided. Arelateddocument,thePracticalGuidetoCloudServiceLevelAgreements 1 ,releasedbytheCloud StandardsCustomerCouncil(CSCC)inApril2012,providesadditionalguidanceonevaluatingsecurity criteriaincloudSLAs.
CloudSecurityLandscape
Whilesecurityandprivacyconcernswhenusingcloudcomputingservicesaresimilartothoseof traditionalnoncloudservices,concernsareamplifiedbyexternalcontroloverorganizationalassetsand thepotentialformismanagementofthoseassets.Transitioningtopubliccloudcomputinginvolvesa transferofresponsibilityandcontroltothecloudprovideroverinformationaswellassystem
1
Seehttp://www.cloudstandardscustomercouncil.org/2012_Practical_Guide_to_Cloud_SLAs.pdf
Copyright2012CloudStandardsCustomerCouncil
Page5
componentsthatwerepreviouslyundertheorganizationsdirectcontrol.Thetransitionisusually accompaniedbylossofdirectcontroloverthemanagementofoperationsandalsoalossofinfluence overdecisionsmadeaboutthecomputingenvironment. Despitethisinherentlossofcontrol,thecloudserviceconsumerstillneedstotakeresponsibilityfor theiruseofcloudcomputingservicesinordertomaintainsituationalawareness,weighalternatives,set priorities,andeffectchangesinsecurityandprivacythatareinthebestinterestoftheorganization. Theconsumerachievesthisbyensuringthatthecontractwiththeprovideranditsassociatedservice levelagreement(SLA)hasappropriateprovisionsforsecurityandprivacy.Inparticular,theSLAmust helpmaintainlegalprotectionsforprivacyrelatingtodatastoredontheprovider'ssystems.The consumermustalsoensureappropriateintegrationofthecloudcomputingserviceswiththeirown systemsformanagingsecurityandprivacy. Cloudcomputingrepresentsaverydynamicareaatthepresenttime,withnewsuppliersandnew offeringsarrivingallthetime.Thereareanumberofsecurityrisksassociatedwithcloudcomputingthat mustbeadequatelyaddressed:2 Lossofgovernance.Forpublicclouddeployments,consumersnecessarilycedecontroltothe cloudprovideroveranumberofissuesthatmayaffectsecurity.Atthesametime,cloudservice levelagreements(SLA)maynotofferacommitmenttoprovidesuchcapabilitiesonthepartof thecloudprovider,thusleavinggapsinsecuritydefenses. Responsibilityambiguity.Giventhatuseofcloudcomputingservicesspansacrossthe consumerandtheproviderorganizations,responsibilityforaspectsofsecuritycanbespread acrossbothorganizations,withthepotentialforvitalpartsofthedefensestobeleftunguarded ifthereisafailuretoallocateresponsibilityclearly.Thesplitofresponsibilitiesbetween consumerandproviderorganizationsislikelytovarydependingonthemodelbeingusedfor cloudcomputing(e.g.IaasversusSaaS). Isolationfailure.Multitenancyandsharedresourcesaredefiningcharacteristicsofpubliccloud computing.Thisriskcategorycoversthefailureofmechanismsseparatingtheusageofstorage, memory,routingandevenreputationbetweendifferenttenants(e.g.,socalledguesthopping attacks). Vendorlockin.Dependencyonproprietaryservicesofaparticularcloudprovidercouldleadto theconsumerbeingtiedtothatprovider.Servicesthatdonotsupportportabilityofapplications anddatatootherprovidersincreasetheriskofdataandserviceunavailability. Complianceandlegalrisks.Investmentinachievingcertification(e.g.,industrystandardor regulatoryrequirements)maybeputatriskbymigrationtousecloudcomputingifthecloud providercannotprovideevidenceoftheirowncompliancewiththerelevantrequirementsorif thecloudproviderdoesnotpermitauditbythecloudconsumer.Itistheresponsibilityofthe cloudconsumertocheckthatthecloudproviderhasappropriatecertificationsinplace,butitis alsonecessaryforthecloudconsumertobeclearaboutthedivisionofsecurityresponsibilities betweentheconsumerandtheproviderandtoensurethattheconsumer'sresponsibilitiesare handledappropriatelywhenusingcloudcomputingservices.
CredittoEuropeanNetworkandInformationSecurityAgency(ENISA).Visithttp://www.enisa.europa.eu/for moreinformation.
Copyright2012CloudStandardsCustomerCouncil
Page6
Handlingofsecurityincidents.Thedetection,reportingandsubsequentmanagementof securitybreachesisaconcernforconsumers,whoarerelyingonproviderstohandlethese matters. Managementinterfacevulnerability.Consumermanagementinterfacesofapubliccloud providerareusuallyaccessiblethroughtheInternetandmediateaccesstolargersetsof resourcesthantraditionalhostingprovidersandthereforeposeanincreasedrisk,especially whencombinedwithremoteaccessandwebbrowservulnerabilities. Dataprotection.Cloudcomputingposesseveraldataprotectionrisksforcloudconsumersand providers.Themajorconcernsareexposureorreleaseofsensitivedatabutalsoincludelossor unavailabilityofdata.Insomecases,itmaybedifficultforthecloudconsumer(intheroleof datacontroller)toeffectivelycheckthedatahandlingpracticesofthecloudproviderandthus tobesurethatthedataishandledinalawfulway.Thisproblemisexacerbatedincasesof multipletransfersofdata,e.g.,betweenfederatedcloudservices. Maliciousbehaviorofinsiders.Damagecausedbythemaliciousactionsofinsidersworking withinanorganizationcanbesubstantial,giventheaccessandauthorizationstheymayhave. Thisiscompoundedinthecloudcomputingenvironmentsincesuchactivitymightoccurwithin eitherorboththeconsumerorganizationandtheproviderorganization. Businessfailureoftheprovider.Suchfailurescouldrenderdataandapplicationsessentialto theconsumer'sbusinessunavailable. Serviceunavailability.Thiscouldbecausedbyahostoffactors,fromequipmentorsoftware failuresintheprovider'sdatacenter,throughfailuresofthecommunicationsbetweenthe consumersystemsandtheproviderservices. Insecureorincompletedatadeletion.Requeststodeletecloudresources,forexample,whena consumerterminatesservicewithaprovider,maynotresultintruewipingofthedata. Adequateortimelydatadeletionmayalsobeimpossible(orundesirablefromaconsumer perspective),eitherbecauseextracopiesofdataarestoredbutarenotavailable,orbecausethe disktobedeletedalsostoresdatafromotherclients.Inthecaseofmultitenancyandthereuse ofhardwareresources,thisrepresentsahigherrisktotheconsumerthanisthecasewith dedicatedhardware.
CloudSecurityGuidance
Asconsumerstransitiontheirapplicationsanddatatousecloudcomputing,itiscriticallyimportantthat thelevelofsecurityprovidedinthecloudenvironmentbeequaltoorbetterthanthesecurityprovided bytheirtraditionalITenvironment.Failuretoensureappropriatesecurityprotectioncouldultimately resultinhighercostsandpotentiallossofbusinessthuseliminatinganyofthepotentialbenefitsof cloudcomputing.
Copyright2012CloudStandardsCustomerCouncil
Page7
Thissectionprovidesaprescriptiveseriesofstepsthatshouldbetakenbycloudconsumerstoevaluate andmanagethesecurityoftheircloudenvironmentwiththegoalofmitigatingriskanddeliveringan appropriatelevelofsupport.Thefollowingstepsarediscussedindetail: 1. Ensureeffectivegovernance,riskandcomplianceprocessesexist 2. Auditoperationalandbusinessprocesses 3. Managepeople,rolesandidentities 4. Ensureproperprotectionofdataandinformation 5. Enforceprivacypolicies 6. Assessthesecurityprovisionsforcloudapplications 7. Ensurecloudnetworksandconnectionsaresecure 8. Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities 9. ManagesecuritytermsinthecloudSLA 10. Understandthesecurityrequirementsoftheexitprocess Requirementsandbestpracticesarehighlightedforeachstep.Inaddition,eachsteptakesintoaccount therealitiesoftodayscloudcomputinglandscapeandpostulateshowthisspaceislikelytoevolvein thefuture,includingtheimportantrolethatstandardswillplaytoimproveinteroperabilityand comparabilityacrossproviders.
Step1:Ensureeffectivegovernance,riskandcomplianceprocessesexist
Mostorganizationshaveestablishedsecurityandcompliancepoliciesandproceduresthatareusedto protecttheirintellectualpropertyandcorporateassetsespeciallyintheITspace.Thesepoliciesand proceduresaredevelopedbaseduponriskanalysestotheorganizationconsideringtheimpactofhaving theseassetscompromised.Aframeworkofcontrolsandfurtherproceduresareestablishedtomitigate riskandserveasabenchmarkfortheexecutionandvalidationofcompliance.Theseprinciplesand policies,theenterprisesecurityplan,andthesurroundingqualityimprovementprocessrepresentthe enterprisesecuritygovernance,riskmanagement,andcompliancemodel. SecuritycontrolsincloudcomputingaresimilartothoseintraditionalITenvironments.However, becauseofthecloudserviceandoperationalmodelsemployedwiththeimpliedorganizationaldivision ofresponsibilitiesandthetechnologiesusedtoenablecloudservices,cloudcomputingmaypresent differentriskstoanorganizationthantraditionalITsolutions.Aspartofthetransitiontocloud computing,itiscriticalthatconsumersunderstandtheirlevelofrisktoleranceandfocusonmitigating therisksthattheorganizationcannotaffordtoneglect.
Copyright2012CloudStandardsCustomerCouncil
Page8
Theprimarymeansaconsumerofcloudservicehastoensuretheircloudhostedapplicationsanddata willbesecuredinaccordancewithitssecurityandcompliancepoliciesistoverifythatthecontract betweentheconsumerandtheprovider,alongwithanassociatedservicelevelagreement(SLA), containalltheirrequirements.Itisvitalforaconsumertounderstandallthetermsrelatedtosecurity andtoensurethatthosetermsmeettheneedsoftheconsumer.IfasuitablecontractandSLAisnot available,thenitisinadvisableforanorganizationtoproceedwiththeuseofcloudservices. Oftenitisnotunderstoodthatthetypeofservicemodelbeingofferedbytheprovider(i.e.IaaS,PaaSor SaaS)hassignificantimpactontheassumed"splitofresponsibilities"betweentheconsumerandthe providertomanagesecurityandassociatedrisks.ForIaaS,theproviderissupplying(andresponsiblefor securing)basicITresourcessuchasmachines,disksandnetworks.Theconsumerisresponsibleforthe operatingsystemandtheentiresoftwarestacknecessarytorunapplications,plusthedataplacedinto thecloudcomputingenvironment.Asaresult,mostoftheresponsibilityforsecuringtheapplications themselvesandthedatatheyusefallsontotheconsumer.Incontrast,forSaaS,theinfrastructure, softwareanddataareprimarilytheresponsibilityoftheprovider,sincetheconsumerhaslittlecontrol overanyofthesefeaturesoftheservice.Theseaspectsneedappropriatehandlinginthecontractand SLA. Fromageneralgovernanceperspective,cloudprovidersshouldnotifyconsumersabouttheoccurrence ofanybreachoftheirsystem,regardlessofthepartiesordatadirectlyimpacted.Theprovidershould includespecificpertinentinformationinthenotification,stopthedatabreachasquicklyaspossible, restoresecureaccesstotheserviceassoonaspossible,applybestpracticeforensicsininvestigatingthe circumstancesandcausesofthebreach,andmakelongterminfrastructurechangestocorrecttheroot causesofthebreachtoensurethatitdoesnotrecur.Duetothehighfinancialandreputationalcosts resultingfromabreach,consumersmaywanttheprovidertoindemnifythemifthebreachwastheir fault. Afundamentaldesignpremiseincloudcomputingisthat,asaconsumer,yourdatacanbestoredby, processedonandtransmittedtoanyoftheserversordevicesthecloudserviceprovideroperates.In someinstances,servershostingconsumerdatamaybelocatedinmultipledatacenterswithindifferent jurisdictions,eitherbecausetheserviceproviderhasmultijurisdictionaloperationsorhas subcontractedservicestoprovidersthatoperateinotherjurisdictions.Thismeansthatitmaybe difficultatanyparticularpointintimetoknowwhereyourdataactuallyresides,whichregulatorshave jurisdictionandwhatregulationsapply.Thismatterssincesomeregulationsrestricttheallowable locationsfordata. Thejurisdictionalissuedirectlyinfluencestheprotectionofpersonallyidentifiableinformation(PII)and thelawenforcementaccesstothisdata.3 Thereisdivergenceacrosscountriesinthelawson investigationandenforcement,includingaccesstoencrypteddataandinvestigationofextraterritorial
3
Copyright2012CloudStandardsCustomerCouncil
Page9
offences.Acourtcanonlyhearamatterifithasjurisdictionoverthepartiesandthesubjectmatterof theaction,whilelawenforcementagenciescanonlyexercisetheirpowerswithintheirauthorized jurisdictions. Beforemigratingservicestoacloudcomputingenvironment,itisimportanttounderstandpreciselythe specificlawsorregulationsthatapplytotheservicesandwhataretherelevantdutiesorobligations imposed(e.g.dataretention,dataprotection,interoperability,medicalfilemanagement,disclosureto authorities).Thisallowsconsumerstoidentifythelegalissuesandtherelatedlegalrisks,and consequentlytheimpactthesewillhaveontheservicesbeingmigratedtocloudcomputing. Oneusefulapproachtothesecuritychallengesofcloudcomputingisforacloudproviderto demonstratethattheyarecompliantwithanestablishedsetofsecuritycontrols.Certificationofthe providergivesmoreconfidenceinthatprovidertoprospectiveconsumers.Thereareanumberof differentcertificationswhichcanbeusefulforcloudcomputingserviceswhichoneismostappropriate dependstosomeextentonthecloudservicemodel(IaaS,PaaS,SaaS)andalsodependsonyourregional andindustryrequirements. ThemostwidelyrecognizedinternationalstandardforinformationsecuritycomplianceisISO/IEC 270014 whichincludesnationalvariantsandwelldevelopedcertificationregimes.ISOiscurrently developingnewstandards,ISO/IEC27017 5 "SecurityinCloudComputing"andISO/IEC27018 6 "Privacy inCloudComputing",whichwillspecificallyaddresscloudsecurityandprivacyconsiderationsthatbuild uponISO/IEC27001. SomeorganizationsprovideframeworksandcertificationsforevaluatingITsecuritywhichcanbe appliedtocloudserviceproviders,includingtheAmericanInstituteofCertifiedPublicAccountants (AICPA)andInformationSystemsAuditandControlAssociation(ISACA)whichprovidetheSSAE16 7 and CoBIT5 8 frameworksrespectively.Otherorganizationsprovidespecializedframeworksforspecific servicesorindustriessuchasthePaymentCardIndustry(PCI)DataSecurityStandard(DSS). 9 GroupssuchastheCloudSecurityAlliance(CSA)provideguidancewhichincludesaCloudControls Matrix(CCM),aproviderselfassessmentprogram,ConsensusAssessmentInitiative(CAI),Certificateof CloudSecurityKnowledge(CCSK),andaregistrytopublishtheselfevaluationresults(STARS). 10
4
10
Copyright2012CloudStandardsCustomerCouncil
Page10
Step2:Auditoperational&businessprocesses
CompaniesunderstandtheimportanceofauditingthecomplianceofITsystems,whichhosttheir applicationsanddata,toassesseffectivenessinenforcingtheircorporate,industryorgovernment requirementsandpolicies. Asabaseline,consumersshouldexpecttoseeareportofthecloudprovider'soperationsby independentauditors.Unfetteredaccesstoessentialauditinformationisakeyconsiderationof contractsandSLAtermswithanycloudprovider.Aspartofanyterms,cloudprovidersshouldoffer timelyaccesstoandselfmanagementofauditevent,logandreportinformationrelevanttoa consumer'sspecificdataorapplications. Securitycompliancetendstobeasignificantelementofanycomplianceframework.Therearethree significantareaswheretheconsiderationofsecuritymethodsforcloudcomputingareofparticular interesttocloudconsumersandtoauditors: 1. Understandingtheinternalcontrolenvironmentofacloudprovider,includingrisks,controlsand othergovernanceissueswhenthatenvironmenttouchestheprovisionofcloudservices. 2. Accesstothecorporateaudittrail,includingworkflowandauthorization,whentheaudittrail spanscloudservices. 3. Assuranceofthefacilitiesformanagementandcontrolofcloudservicesmadeavailabletocloud consumersbycloudprovidersandhowsuchfacilitiesaresecured. Understandingtheinternalcontrolenvironmentofacloudprovider Usingtheservicesofcloudproviderscreatestheneedforappropriateauditingoftheactivitiesof personsthatmaybeemployedbythecloudproviderorconsumer(alongwithanyconsumercustomers andpartners)toensurethatthesecuritycontrolsmeettherequirementsoftheconsumers.Consumers shouldexpecttoseeauditinformationrelatingtoanycloudprovidertheyplantouse.Thereare alternativestandardsthatcanbeusedasthebasisforauditingaserviceprovider,suchastheISO27000 series.Thesestandardsaimtoprovidethebasisforassuringconsumersaboutthenatureofthe controlsenvironmentinplaceatthecloudprovider'sorganization. Keycontrolsthatrelatetocloudcomputingservicesincludethosewhich ensureisolationofconsumerapplicationsanddatainshared,multitenantenvironments provideprotectionofconsumerassetsfromunauthorizedaccessbytheprovider'sstaff
Securityandauthenticationtechnologies,alliedtoeventlogging,inthecloudcomputingenvironment canhelpauditorsastheydealwithissuesrelatedtoworkflowwerethosewhoentered,approved, changedorotherwisetoucheddataauthorizedtodoso,onanindividual,grouporrolerelatedbasis? Wasthatauthorizationappropriateonaonetime,periodicorongoingbasis? Accesstothecorporateaudittrail Itisvitalforcloudserviceconsumerstohaveappropriateauditaccesstocloudproviderevents,logsand audittrailstoproveenforcementofprovidersecuritycontrols.Auditorsneedtoassurecloud consumersthatallthenecessaryinformationisbeingloggedandstoredappropriatelybycloud providers,includingauthentication,authorizationandmanagementinformationrelatingtotheuseof particularapplicationsanddataagainstallsecurityandcompliancepoliciesestablishedbytheprovider orconsumer. Forcompleteinsightintosecuritycontrols,astheyrelatetotheconsumer'sapplicationsanddata, mechanismsfortheroutineflowofauditinformationfromtheprovidertotheconsumeris recommended.Thisflowmayincludesecurelogsandreportsagainstanagreeduponschedule.There shouldbemoretimelynotificationofanyexceptionalsecurityalerts,eventsorincidentsandincident managementprocessesshouldbedocumentedandaudited.Anyauditdatashouldhavethenecessary associatedinformationtoenableforensicanalysistounderstandhowanyparticularincidentoccurred, whatassetswerecompromisedandwhatpolicies,proceduresandtechnologiesneedtobechangedto preventrecurrence,alongwithanyadditionalsecuritycontrolsthatneedtobeestablished. 11 Ideally,thereshouldbeautomated,standardsbased,programmaticaccesstoalloftheseauditfacilities, toensuretimelyavailabilityofrequireddataandtoremovecostburdensassociatedwithhuman processingofrequestsforinformation. Assuranceofthefacilitiesformanagementandcontrolofcloudservices Inadditiontocontrolswhichapplytocloudservicesthemselves,thereisalsoaneedforprovidersto enableconsumerstoselfmanageandmorecloselymonitortheusageoftheircloudhostedapplications andservices.Thesefacilitiesmayinclude:servicecatalogs,subscriptionservices,paymentprocesses, theprovisionofstreamsofoperationaleventdataandlogs,usagemeteringdata,facilitiesfor configuringservicesincludingaddingandremovinguseridentitiesandtheconfigurationof authorizations. Thesefacilitiesareoftenmoresensitiveinsecuritytermsthantheservicesandapplicationstowhich theyapply,sincethepotentialforabuseanddamagemaybehigher.Asecurityauditmustextendto thesefacilitiesaswellastothemainservicesoftheprovider.
11
TheemergingDMTFCloudAuditDataFederation(CADF)Workgroupisplanningtodevelopanauditeventdata
Copyright2012CloudStandardsCustomerCouncil
Page12
Step3:Managepeople,rolesandidentities
Consumersmustensurethattheircloudproviderhasprocessesandfunctionalitythatgovernswhohas accesstotheconsumer'sdataandapplications.Thisensuresaccesstotheircloudenvironmentsis controlledandmanaged. Organizationsmanagedozenstothousandsofemployeesanduserswhoaccesstheircloudapplications andservices,eachwithvaryingrolesandentitlements.Cloudprovidersmustallowthecloudconsumer toassignandmanagetherolesandassociatedlevelsofauthorizationforeachoftheirusersin accordancewiththeirsecuritypolicies.Theserolesandauthorizationrightsareappliedonaper resource,serviceorapplicationbasis.Forexample,acloudconsumer,inaccordancewithitssecurity policies,mayhaveanemployeewhoserolepermitsthemtogenerateapurchaserequest,buta differentroleandauthorizationrightsisgrantedtoanotheremployeeresponsibleforapprovingthe request. Thecloudprovidermusthaveasecuresystemforprovisioningandmanaginguniqueidentitiesfortheir usersandservices.ThisIdentityManagementfunctionalitymustsupportsimpleresourceaccessesand robustconsumerapplicationandserviceworkflows.Akeyrequirementformovingaconsumer applicationtothecloudisassessingtheprovider'sabilitytoallowtheconsumertoassigntheiruser identitiesintoaccessgroupsandrolesthatreflecttheiroperationalandbusinesssecuritypolicies. Anyuseraccessorinteractionwiththeprovider'smanagementplatform,regardlessofroleor entitlement,shouldbemonitoredandloggedtoprovideauditingofallaccesstoconsumerdataand applications. Table1highlightsthekeyfeaturesacloudprovidershouldsupportinorderforaconsumertoeffectively managepeople,rolesandidentitiesinthecloud:
Table1.Cloudprovidersupportforpeople,rolesandidentities
ProviderSupports ConsumerConsiderationsandQuestions FederatedIdentityManagement Enterprisesthatarecloudconsumers,inmanycases,already (FIM),ExternalIdentity haveanexistingdatabaseofusers,mostlikelystoredinan Providers(EIP) enterprisedirectory,andtheywishtoleveragethisuser Copyright2012CloudStandardsCustomerCouncil Page13
databasewithoutrecreatinguseridentities. Questiontocloudprovider:CanIintegratemycurrentuser store(internaldatabaseordirectoryofusers)without recreatingallmyuserswithinyourcloudenvironment? Consumerorganizationsneedtoadministertheirownusers; thecloudprovidershouldsupportdelegatedadministration. Questiontocloudprovider:Whatprovisioningtoolsdoyou provideforonboardingandoffboardingusers? Questiontocloudprovider:Doesyourplatformoffer delegatedadministrationformyorganizationtoadminister users? Consumerorganizationsmaywishtofederateidentityacross applicationstoprovidesinglesignon(SSO)alongwithsingle signofftoassureusersessionsgetterminatedproperly.For example,anorganizationusingseparateSaaSapplicationsfor CRMandERPwouldlikesinglesignonandsignoffacross theseapplications(e.g.usingstandardssuchasSAML 12 ,WS Federation 13 andOAuth 14 ). Questiontocloudprovider:Doyouoffersinglesignonfor accessacrossmultipleapplicationsyouofferortrusted federatedsinglesignonacrossapplicationswithother vendors? Consumersneedauditingandloggingreportsrelatingto serviceusagefortheirownassuranceaswellascompliance withregulations. Questiontocloudprovider:Whatauditinglogs,reports, alertsandnotificationsdoyouprovideinordertomonitor useraccessbothformyneedsandfortheneedsofmy auditor? Foraccesstohighvalueassetshostedinthecloud,cloud
IdentityProvisioningand Delegation
SingleSignOn(SSO),Single SignOff
IdentityandAccessAudit
RobustAuthentication
12
13
14
Copyright2012CloudStandardsCustomerCouncil
Page14
consumersmayrequirethattheirprovidersupportstrong, multifactor,mutualand/orevenbiometricauthentication. Questiontocloudprovider:Ifrequired,doesyourplatform supportstrong,multifactorormutualauthentication? Cloudconsumersneedtobeabletodescribeandenforce theirsecuritypolicies,userroles,groupsandentitlementsto theirbusinessandoperationalapplicationsandassets,with dueconsiderationforanyindustry,regionalorcorporate requirements. Questiontocloudprovider:Doesyourplatformofferfine grainedaccesscontrolsothatmyuserscanhavedifferent rolesthatdonotcreateconflictsorviolatecompliance guidelines?
Role,EntitlementandPolicy Management
Step4:Ensureproperprotectionofdataandinformation
DataareatthecoreofITsecurityconcernsforanyorganization,whatevertheformofinfrastructure thatisused.Cloudcomputingdoesnotchangethis,butcloudcomputingdoesbringanaddedfocus becauseofthedistributednatureofthecloudcomputinginfrastructureandthesharedresponsibilities thatitinvolves.Securityconsiderationsapplybothtodataatrest(heldonsomeformofstorage system)andalsotodatainmotion(beingtransferredoversomeformofcommunicationlink),bothof whichmayneedparticularconsiderationwhenusingcloudcomputingservices. Essentially,thequestionsrelatingtodataforcloudcomputingareaboutvariousformsofrisk:riskof theftorunauthorizeddisclosureofdata,riskoftamperingorunauthorizedmodificationofdata,riskof lossorofunavailabilityofdata.Itisalsoworthrememberingthatinthecaseofcloudcomputing,"data assets"maywellincludethingssuchasapplicationprogramsormachineimages,whichcanhavethe sameriskconsiderationsasthecontentsofdatabasesordatafiles. ThegeneralapproachestothesecurityofdataarewelldescribedinspecificationssuchastheISO27002 standardandthesecontrolorientedapproachesapplytotheuseofcloudcomputingservices,with someadditionalcloudspecificconsiderationsasdescribedintheISO27017standard(currentlyunder development).SecuritycontrolsasdescribedinISO27002highlightthegeneralfeaturesthatneedto beaddressed,towhichspecifictechniquesandtechnologiescanthenbeapplied.
Copyright2012CloudStandardsCustomerCouncil
Page15
Controls
Createadataassetcatalog
Description
Akeyaspectofdatasecurityisthecreationofadataassetcatalog, identifyingalldataassets,classifyingthosedataassetsintermsof criticalitytothebusiness(whichcaninvolvefinancialandlegal considerations,includingcompliancerequirements),specifying ownershipandresponsibilityforthedataanddescribingthe location(s)andacceptableuseoftheassets. Relationshipsbetweendataassetsalsoneedtobecataloged. Anassociatedaspectisthedescriptionofresponsiblepartiesand roles,whichinthecaseofcloudcomputingmustspanthecloud serviceconsumerorganizationandthecloudserviceprovider organization. Organizationsareincreasingtheamountofunstructureddataheld onITsystems,whichcanincludeitemssuchasimagesofscanned documentsandpicturesofvariouskinds. Unstructureddatacanbesensitiveandrequirespecifictreatment forexampleredactionormaskingofpersonalinformationsuchas signatures,addresses,licenseplates. Forstructureddata,inamultitenancycloudenvironment,data heldindatabasesneedsconsideration.Databasesegmentationcan beofferedinacoupleofvarieties:sharedorisolateddataschema. o Inashareddataschema,eachcustomersdatais intermixedwithinthesamedatabase.Thismeansthat customerA'sdatamayresideinrow1whilecustomerB's dataresidesinrow2. Inanisolatedarchitecture,theconsumers'datais segregatedintoitsowndatabaseinstance.Whilethismay provideadditionalisolation,italsoimpactstheproviders' economiesofscaleandcould,potentially,increasethe
Considerallformsofdata
Copyright2012CloudStandardsCustomerCouncil
Page16
Considerprivacyrequirements
Dataprivacyofteninvolveslawsandregulationsrelatingtothe acquisition,storageanduseofpersonallyidentifiableinformation (PII). Typically,privacyimplieslimitationsontheuseandaccessibilityof PII,withassociatedrequirementstotagthedataappropriately, storeitsecurelyandtopermitaccessonlybyappropriately authorizedusers. Thisrequiresappropriatecontrolstobeinplace,particularlywhen thedataisstoredwithinacloudprovidersinfrastructure.TheISO 27018standard(inpreparation)addressesthecontrolsrequiredfor PII.Thesecontrolsmayrestrictthegeographicallocationinwhich thedataisstored,forexample,whichrunscountertooneaspectof cloudcomputingwhichisthatcloudcomputingresourcescanbe distributedinmultiplelocations. Thekeysecurityprinciplesofconfidentiality,integrityand availabilityareappliedtothehandlingofthedata,throughthe applicationofasetofpoliciesandprocedures,whichshouldreflect theclassificationofthedata. Sensitivedatashouldbeencrypted,bothwhenitisstoredonsome mediumandalsowhenthedataisintransitacrossanetworkfor example,betweenstorageandprocessing,orbetweenthe provider'ssystemandaconsumeruser'ssystem. o Anextraconsiderationwhenusingcloudcomputing concernsthehandlingofencryptionkeyswherearethe keysstoredandhowaretheymadeavailableto applicationcodethatneedstodecryptthedatafor processing?Itisnotadvisabletostorethekeysalongside theencrypteddata,forexample. Integrityofdatacanbevalidatedusingtechniquessuchasmessage digestsorsecurehashalgorithms,alliedtodataduplication, redundancyandbackups. Availabilitycanbeaddressedthroughbackupsand/orredundant storageandresilientsystems,andtechniquesrelatedtothe handlingofdenialofserviceattacks.Thereisalsoaneedfora failoverstrategy,eitherbyusingaserviceproviderwhooffersthis aspartoftheirserviceoffering,oriftheproviderdoesnotoffer resiliencyasafeatureoftheirservicestheconsumermayconsider selfprovisionoffailoverbyhavingequivalentservicesonstandby withanotherprovider.
Applyconfidentiality,integrityand availability
Copyright2012CloudStandardsCustomerCouncil
Page17
Applyidentityandaccess management
Identityandaccessmanagementisavitalaspectofsecuringdata (refertoStep3:Managepeople,rolesandidentitiesonpage13) withappropriateauthorizationbeingrequiredbeforeanyuseris permittedtoaccesssensitivedatainanyway. Relatedtothisistherequirementforloggingandsecurityevent management(e.g.thereportingofanysecuritybreaches)relating totheactivitiestakingplaceinthecloudserviceprovider environment. Followingfromthisistheneedforaclearsetofproceduresrelating todataforensicsintheeventofasecurityincident.Notethatthe logsandreportingmechanismsarealsoinneedofappropriate securitytreatment,topreventawrongdoerfrombeingableto covertheirtracks.
Step5:Enforceprivacypolicies
Privacyisgaininginimportanceacrosstheglobe,ofteninvolvinglawsandregulations,relatingtothe acquisition,storageanduseofpersonallyidentifiableinformation(PII).Typically,privacyimplies limitationsontheuseandaccessibilityofPII,withassociatedrequirementstotagthedata appropriately,storeitsecurelyandtopermitaccessonlybyappropriatelyauthorizedusers.This requiresappropriatecontrolstobeinplace,particularlywhenthedataisstoredwithinacloud providersinfrastructure.TheISO27018standard(inpreparation)addressesthecontrolsrequiredfor PII. Inmanycountries,numerouslaws,regulationsandothermandatesrequirepublicandprivate organizationstoprotecttheprivacyofpersonaldataandthesecurityofinformationandcomputer systems.AppendixAonpage31providesanoverviewoftheworldwideprivacyregulationsthat currentlyexist. Whendataistransferredtoacloudcomputingenvironment,theresponsibilityforprotectingand securingthedatatypicallyremainswiththeconsumer(thedatacontrollerinEUterminology 15 ),evenif insomecircumstances,thisresponsibilitymaybesharedwithothers.Whenanorganizationreliesona
TheEuropeanUnionprovidesaGlossaryoftermsassociatedwithDataProtectionhere: http://www.edps.europa.eu/EDPSWEB/edps/EDPS/Dataprotection/Glossary
15
Copyright2012CloudStandardsCustomerCouncil
Page18
thirdpartytohostorprocessitsdata,thedatacontrollerremainsliableforanyloss,damage,ormisuse ofthedata.Itisprudent,andmaybelegallyrequired,thatthedatacontrollerandthecloudprovider enterintoawritten(legal)agreementthatclearlydefinestheroles,expectationsoftheparties,and allocatesbetweenthemthemanyresponsibilitiesthatareattachedtothedataatstake. Itiscriticalthatprivacyissuesareadequatelyaddressedinthecloudcontractandservicelevel agreement(SLA).Ifnot,thecloudconsumershouldconsideralternatemeansofachievingtheirgoals includingseekingadifferentprovider,ornotputtingsensitivedataintothecloudcomputing environment.Forexample,iftheconsumerwishestoplaceHIPAAcoveredinformationintoacloud computingenvironment,theconsumermustfindacloudserviceproviderthatwillsignaHIPAAbusiness associateagreementorelsenotputthatdataintothecloudcomputingenvironment. Enterprisesareresponsiblefordefiningpoliciestoaddressprivacyconcernsandraiseawarenessofdata protectionwithintheirorganization.Theyarealsoresponsibleforensuringthattheircloudproviders adheretothedefinedprivacypolicies.Consumershaveanongoingobligationtomonitortheir providerscompliancewithitspolicies.Thisincludesanauditprogramcoveringallaspectsoftheprivacy policiesincludingmethodsofensuringthatcorrectiveactionswilltakeplace.
Step6:Assessthesecurityprovisionsforcloudapplications
Organizationsneedtoproactivelyprotecttheirbusinesscriticalapplicationsfromexternalandinternal threatsthroughouttheirentirelifecycle,fromdesigntoimplementationtoproduction.Clearlydefined securitypoliciesandprocessesarecriticaltoensuretheapplicationisenablingthebusinessratherthan introducingadditionalrisk. Applicationsecurityposesspecificchallengestothecloudproviderandconsumer.Organizationsmust applythesamediligencetoapplicationsecurityastheydoforphysicalandinfrastructuresecurity.Ifan applicationiscompromised,itcanpresentliabilityandperceptionissuestoboththecloudproviderand theconsumer,especiallyiftheultimateendusersoftheapplicationarecustomersoftheconsumer ratherthanemployees. Inordertoprotectanapplicationfromvarioustypesofbreaches,itisimportanttounderstandthe applicationsecuritypolicyconsiderationsbasedonthedifferentclouddeploymentmodels.Table3 highlightstheimpactofclouddeploymentonapplicationsecurity.Alloftheseconsiderationsarein additiontothoseoutlinedinthiswhitepaper(facilities,network,data,etc).
Table3.Deploymentmodelimpactonapplicationsecurity DeploymentType InfrastructureasaService ApplicationSecurityPolicyConsiderations Theconsumerhasresponsibilityfordeploymentofthecomplete softwarestackoperatingsystem,middlewareandapplicationand forallaspectsofsecuritythatrelatetothisstack. Theapplicationsecuritypolicyshouldcloselymimicthepolicyof applicationshostedinternallybytheconsumer. Theconsumershouldfocusonnetwork,physicalenvironment, auditing,authorization,andauthenticationconsiderationsas outlinedinthisdocument.
Copyright2012CloudStandardsCustomerCouncil
Page19
PlatformasaService
SoftwareasaService
Theconsumeristypicallyresponsibleforpatchingofoperating system,middlewareandapplication. Appropriatedataencryptionstandardsshouldbeapplied. Theconsumerhasresponsibilityforapplicationdeploymentandfor securingaccesstotheapplicationitself. Theproviderhasresponsibilityforproperlysecuringthe infrastructure,operatingsystemandmiddleware. Theconsumershouldfocusonaudit,authorization,and authenticationconsiderationsasoutlinedinthisdocument. Appropriatedataencryptionstandards.shouldbeapplied. InaPaaSmodel,theconsumermayormaynothaveknowledgeof theformatandlocationoftheirdata.Itisimportantthattheyare knowledgeableofhowtheirdatamaybeaccessedbyindividuals withadministrativeaccess. Applicationtiersecuritypolicyconstraintsaremostlythe responsibilityoftheproviderandaredependentupontermsinthe contractandSLA.Theconsumermustensurethattheseterms meettheirconfidentiality,integrityandavailabilityrequirements. Importanttounderstandproviderspatchingschedule,controlsof malware,andreleasecycle. Thresholdpolicieshelptoidentifyunexpectedspikesandreduction ofuserloadontheapplication.Thresholdsarebasedonresources, usersanddatarequests. Typically,theconsumerisonlyabletomodifyparametersofthe applicationthathavebeenexposedbytheprovider.These parametersarelikelyindependentofapplicationsecurity configurations,however,theconsumershouldensurethattheir configurationchangesaugment;notinhibittheproviderssecurity model. Theconsumershouldhaveknowledgeofhowtheirdatais protectedagainstadministrativeaccessbytheprovider.InaSaaS model,theconsumerwilllikelynotbeawareofthelocationand formatofthedatastorage. Theconsumermustunderstandthedataencryptionstandards whichareappliedtodataatrestandinmotion.
Copyright2012CloudStandardsCustomerCouncil
Page20
Step7:Ensurecloudnetworksandconnectionsaresecure
Acloudserviceprovidermustattempttoallowlegitimatenetworktrafficanddropmaliciousnetwork traffic,justasanyotherInternetconnectedorganizationdoes.However,unlikemanyother organizations,acloudserviceproviderwillnotnecessarilyknowwhatnetworktrafficitsconsumersplan tosendandreceive.Nevertheless,consumersshouldexpectcertainexternalnetworkperimetersafety measuresfromtheircloudproviders. Tousetheanalogyofahotel,weexpectthehoteltoprovidesomelimitedamountofperimetersecurity notallowinganyoneintothebuildingwithoutakeycardduringcertaintimesofnight,forexample,or challengingobviouslydangerouspersonseventhoughweshouldnotexpectthehoteltodenyaccess toeverydangerousperson. Withthisinmind,itisrecommendedthatconsumersevaluatetheexternalnetworkcontrolsofacloud providerbasedontheareashighlightedinTable4.
Table4.Externalnetworkrequirements ProviderResponsibility Trafficscreening Description/Guidance Certaintrafficisalmostneverlegitimateforexample,traffictoknown malwareports.Theprovidershouldblockthistrafficonbehalfofthe consumers. Trafficscreeningisgenerallyperformedbyfirewalldevicesorsoftware.Some firewallconsiderations: o Doestheproviderpublishastandardperimeterblocklistthataligns withthetermsofservicefortheoffering?Consumersshouldrequest acopyoftheblocklist;areasonableblocklistcanprovidea consumerwithbothassuranceofathoughtfulnetworkprotection planaswellassomefunctionalguidelinesonwhatisallowed.There maybesomecauseforconcerniftheblocklistisnotinlinewiththe termsofservice. Doestheprovider'sfirewallblockallIPv6access,orprotectagainst bothIPv4andIPv6attacks?MoreandmoredevicesareIPv6 capable,andsomeprovidersforgettolimitIPv6accesswhichcan allowanattackeraneasywayaroundtheIPv4firewall. Isthetrafficscreeningabletowithstandandadapttoattackssuchas DistributedDenialofServiceattacks?DDOSattacksaremoreand morecommonlyusedforextortionpurposesbyorganizedcrime,and theabilityofacloudserviceprovideranditsInternetserviceprovider toassistinblockingtheunwantedtrafficcanbecrucialto withstandinganattack.
Intrusion
Sometrafficmaylooklegitimate,butdeeperinspectionindicatesthatitis carryingmaliciouspayloadsuchasspam,viruses,orknownattacks.The
Copyright2012CloudStandardsCustomerCouncil
Page21
detection/prevention
providershouldblockoratleastnotifyconsumersaboutthistraffic. Intrusiondetectionand/orpreventionsystems(IDS/IPS)maybesoftwareor devices.Whereasafirewallusuallyonlymakesdecisionsbasedon source/destination,ports,andexistingconnections,anIDS/IPSlooksatboth overalltrafficpatternsaswellastheactualcontentsofthemessages.Many firewallsnowincludeIDS/IPScapabilities. AlthoughtechnicallynotIDS/IPSdevices,applicationlevelproxies(suchase mailgateways/relays)willoftenperformsimilarfunctionsforcertaintypesof networktrafficandareconsideredhereaswell. AnIDSwilltypicallyonlyflagpotentialproblemsforhumanreview;anIPSwill takeactiontoblocktheoffendingtrafficautomatically.SomeIDS/IPS considerations: o IDS/IPScontentmatchingcandetectorblockknownmalware attacks,virussignatures,andspamsignatures,butarealsosubjectto falsepositives.Doesthecloudproviderhaveadocumented exceptionprocessforallowinglegitimatetrafficthathascontent similartomalwareattacksorspam? o Similarly,IDS/IPStrafficpatternanalysiscanoftendetectorblock attackssuchasadenialofserviceattackoranetworkscan. However,insomecasesthisisperfectlylegitimatetraffic(suchas usingcloudinfrastructureforloadtestingorsecuritytesting).Does thecloudproviderhaveadocumentedexceptionprocessfor allowinglegitimatetrafficthattheIDS/IPSflagsasanattackpattern? Forassurancepurposesandtroubleshooting,it'simportantthatconsumers havesomevisibilityintothenetworkhealth. Incidentreportingandincidenthandlingproceduresmustbeclearandthe consumershouldlookforvisibilityintothehandlingprocess.Notethatifany PIIisstoredinthecloudcomputingenvironment,theremaybelegal requirementsassociatedwithanyincident. Somenetworklogginginformationisofasensitivenatureandmayreveal informationaboutotherclients,soacloudprovidermaynotallowdirect accesstothisinformation.However,itisrecommendedthatconsumersask certainquestionsaboutloggingandnotificationpolicies: o Whatisthenetworkloggingandretentionpolicy?Intheeventofa successfulattack,theconsumermaywanttoperformforensicanalysis, andthenetworklogscanbeveryhelpful. Whatarethenotificationpolicies?Asacloudconsumer,youshouldbe notifiedintimelymannerifyourmachinesareattackedorcompromised andareattackingsomeoneelse. Arehistoricalstatisticsavailableonthenumberofattacksdetectedand blocked?Thesestatisticscanhelpaconsumerunderstandhoweffective theprovider'sdetectionandblockingcapabilitiesactuallyare.
Loggingandnotification
Copyright2012CloudStandardsCustomerCouncil
Page22
Cloudcomputingincludesanumberofresourcesthatarenotsharedinatraditionaldatacenter.Oneof theseresourcesisthecloudprovider'sinternalnetworkinfrastructure,suchastheaccessswitchesand routersusedtoconnectcloudvirtualmachinestotheprovider'sbackbonenetwork. Internalnetworksecuritydiffersfromexternalnetworksecurityinthatwepostulatethatanyattackers havealreadymadeitthroughtheexternaldefenses,eitherviaanattackor,morecommonly,because theattackersarelegitimatelyauthorizedforadifferentpartofthenetwork.Afterauserisallowed accesstoaportionofthecloudserviceprovider'snetwork,theproviderhasanumberofadditional responsibilitieswithrespecttointernalnetworksecurity. Theprimarycategoriesofinternalnetworkattacksthatconsumersshouldbeconcernedwithinclude: 1. Confidentialitybreaches(disclosureofconfidentialdata) 2. Integritybreaches(unauthorizedmodificationofdata) 3. Availabilitybreaches(denialofservice,eitherintentionalorunintentional) Consumersmustevaluatethecloudserviceprovider'sinternalnetworkcontrolswithrespecttotheir requirementsandanyexistingsecuritypoliciestheconsumermayhave.Eachconsumer'srequirements willbedifferent,butitisrecommendedthatconsumersevaluatetheinternalnetworkcontrolsofa serviceproviderbasedontheareashighlightedinTable5.
Table5.Internalnetworkrequirements Provider Responsibility Protectclientsfrom oneanother Description/Guidance
Cloudprovidersareresponsibleforseparatingtheirclientsinmultitenantsituations.Most cloudserviceproviderswilluseoneormoreofthefollowingtechnologiesforthispurpose: 1. DedicatedvirtualLANs,orVLANs,areatechnologythatmakesacollectionofportson aphysicalEthernetswitchappeartobeaseparateswitch.Intheory,networktraffic ononeVLANcannotbeseenonadifferentVLANanymorethannetworktrafficon onephysicalEthernetswitchcanbeseenonadifferent,nonconnectedEthernet switch. VLANseparationtechnologyisoftenaprimarycontrolforcloudprovidersandis generallyveryeffective.However,therearedocumentedVLANhoppingattacks thatallowunauthorizedtrafficbetweenVLANs,suchasdoubletaggingandswitch spoofing. ManycloudprovidersofferdedicatedVLANsforconsumersthatnootherconsumers shouldbeabletoaccess.Itisrecommendedthatconsumersverifythattheprovider's VLANcontrolsaddresstheknownVLANhoppingattacks. VirtualPrivateNetworks(VPNs,andalsosometimesreferredtosimplyastunnels) canbeusedtoconnectaconsumer'sdedicatedcloudVLANbacktotheconsumer's network;thisconfigurationiscommonlyknownasasitetositeVPN.
2.
Copyright2012CloudStandardsCustomerCouncil
Page23
VPNscanalsobeusedtoallowroamingusersanywhereontheInternettosecurely accesstheconsumer'sVLAN;thisconfigurationiscommonlycalledclienttosite. Inbothcases,therearemultipletechnologies(suchasSSLandIPSec)withdifferent securityimplementations(suchascertificate/credentialbasedorendpoint authentication).ItisrecommendedthatconsumersdecidewhetherVPNsare required,andifsoensurethatthecloudprovidersupportstherequiredoperating mode(clienttositeorsitetosite)andsecurityimplementation. 3. Perinstancesoftwarefirewallsareoneofthelastlinesofdefenseandallow consumerstoregulatewhattrafficcomesintotheirinstancesbyconfiguringthe softwarefirewallontheinstanceitself.Ifusingacloudprovider'simages,consumers shouldensurethattheimagescontainpropersoftwarefirewallcapabilitiesandthat therulesaresimpletodeployandmodify.Perinstancesoftwarefirewallsare particularlyimportantwhensharingaVLANwithotherconsumers. PrivateVLAN(PVLAN)isatermthathastwomeanings.OnemeaningisaVLANthat isdedicatedtoaparticularconsumer,whichisdefinedsimplyasDedicatedVLAN above.ThesecondmoretechnicaluseofthetermisaVLANthatprohibitsalltraffic betweenhostsontheprivateVLANbydefault.WithPrivateVLANtechnology, consumerAandconsumerBcouldbeonthesameVLAN,butstillbeunableto communicatewithoneanothertheymayonlybeallowedtotalktotherouterthat allowsinternetaccess. PrivateVLANtechnologyiseffectiveaslongastherouter,whichispermittedtotalkto allstationsonthenetwork,isnotconfiguredtorelaytrafficoriginatingintheVLAN backintotheVLAN,therebybypassingtheswitch'scontrols.PrivateVLANtechnology providesgoodisolationbutcanleadtofunctionalproblems,ascloudinstancesoften needtotalktoothercloudinstancesinadditiontosystemsoutontheInternet.For thisreason,perinstancefirewallsaremorecommonlyusedforinstanceseparationon thesameVLAN. IfPVLANtechnologyisneeded,itisrecommendedthattheconsumertesttoensure thattherouterisproperlyconfiguredandthattrafficbetweencloudinstancesonthe sameVLANisblocked. Hypervisorbasedfilters,suchasebtablesonLinux,arefunctionallysimilartoprivate VLANsinthattheycanprohibitorallowcommunicationsatthevirtualswitchlevel. However,thesecanalsobeusedtopreventattackssuchasIPandMACaddress spoofing.IfdedicatedVLANsarenotused,itisrecommendedthattheconsumerask whatprotectionsareinplacetopreventanotherconsumer'sinstancefrom masqueradingasoneofyourinstances. Separatetheprovider'snetworkfromallclients.Iftheprovider'snetworkisbreached, itcouldleadtoalmostundetectabledataloss. Theclientseparationstrategiesaboveareworthlessiftheprovider'scontrolnetworkis notproperlyprotected.Anattackerwhogainsaccesstotheprovider'scontrol networkmaybeabletoperformattacksonotherconsumersfromthecontrol network.
4.
5.
Protectthe provider'snetwork
Copyright2012CloudStandardsCustomerCouncil
Page24
Consumersshouldaskwhatsecuritycontrolsareinplaceforthecloudinfrastructure itself.Whilemanycloudproviderswillnotgiveoutindepthdetailsoftheirsecurity measuresduetovalidsecurityconcerns,thereshouldbeastatedsecuritypolicyand someassurance(e.g.viaauditandcertification)thatitisfollowed. Activityauditingandloggingareanimportantpartofpreventivesecuritymeasuresas wellasincidentresponseandforensics.Auditinformationandlogsshouldbesubject toappropriatesecuritycontrolstopreventunauthorizedaccess,destructionor tampering. Cloudconsumersshouldaskwhattypesofinternalnetworksecurityincidentshave beenreportedandifthereareanypublishedstatisticsormetrics. Consumersshouldalsoaskfortheprovider'sprocessesforalertingconsumersabout bothsuccessfulandunsuccessfulinternalnetworkattacks.
Monitorfor intrusionattempts
Step8:Evaluatesecuritycontrolsonphysicalinfrastructureandfacilities
AnimportantconsiderationforsecurityofanyITsystemconcernsthesecurityofphysicalinfrastructure andfacilities.Inthecaseofcloudcomputing,theseconsiderationsapply,butitwilloftenbethecase thattheinfrastructureandfacilitieswillbeownedandcontrolledbythecloudserviceprovideranditis theresponsibilityofthecloudconsumertogetassurancefromtheproviderthatappropriatesecurity controlsareinplace. Assurancemaybeprovidedbymeansofauditandassessmentreports,demonstratingcomplianceto suchsecuritystandardsasISO27002. Abriefdescriptionofthesecuritycontrolsthatshouldapplytothephysicalinfrastructureandfacilities ofacloudproviderincludes: PhysicalInfrastructureandfacilitiesshouldbeheldinsecureareas.Aphysicalsecurityperimeter shouldbeinplacetopreventunauthorizedaccess,alliedtophysicalentrycontrolstoensure thatonlyauthorizedpersonnelhaveaccesstoareascontainingsensitiveinfrastructure. Appropriatephysicalsecurityshouldbeinplaceforalloffices,roomsandfacilitieswhichcontain physicalinfrastructurerelevanttotheprovisionofcloudservices. Protectionagainstexternalandenvironmentalthreats.Protectionshouldbeprovidedagainst thingslikefire,floods,earthquakes,civilunrestorotherpotentialthreatswhichcoulddisrupt cloudservices. Controlofpersonnelworkinginsecureareas.Suchcontrolsshouldbeappliedtoprevent maliciousactions. Equipmentsecuritycontrols.Shouldbeinplacetopreventloss,theft,damageorcompromiseof assets. Page25
Copyright2012CloudStandardsCustomerCouncil
Supportingutilitiessuchaselectricitysupply,gassupply,andwatersupplyshouldhavecontrols inplace.Requiredtopreventdisruptioneitherbyfailureofserviceorbymalfunction(e.g.water leakage).Thismayrequiremultipleroutesandmultipleutilitysuppliers. Controlsecurityofcabling.Inparticularpowercablingandtelecommunicationscabling,to preventaccidentalormaliciousdamage. Properequipmentmaintenance.Shouldbepreformedtoensurethatservicesarenotdisrupted throughforeseeableequipmentfailures. Controlofremovalofassets.Requiredtoavoidtheftofvaluableandsensitiveassets. Securedisposalorreuseofequipment.Particularlyanydeviceswhichmightcontaindatasuch asstoragemedia. Humanresourcessecurity.Appropriatecontrolsneedtobeinplaceforthestaffworkingatthe facilitiesofacloudprovider,includinganytemporaryorcontractstaff. Backup,RedundancyandContinuityPlans.Theprovidershouldhaveappropriatebackupof data,redundancyofequipmentandcontinuityplansforhandlingequipmentfailuresituations.
Step9:ManagesecuritytermsinthecloudSLA
Sincecloudcomputingtypicallyinvolvestwoorganizationstheserviceconsumerandtheservice provider,securityresponsibilitiesofeachpartymustbemadeclear.Thisistypicallydonebymeansofa servicelevelagreement(SLA)whichappliestotheservicesprovided,andthetermsofthecontract betweentheconsumerandtheprovider.TheSLAshouldspecifysecurityresponsibilitiesandshould includeaspectssuchasthereportingofsecuritybreaches.SLAsforcloudcomputingarediscussedin moredetailintheCSCCdocument"PracticalGuidetoCloudServiceLevelAgreements,Version1.0". OnefeatureofanSLArelatingtosecurityisthatanyrequirementsthatareplacedonthecloudprovider bytheSLAmustalsopassontoanypeercloudserviceprovidersthattheprovidermayuseinorderto supplyanypartoftheirservice(s). ItshouldbeexplicitlydocumentedinthecloudSLAthatprovidersmustnotifyconsumersaboutthe occurrenceofanybreachoftheirsystem,regardlessofthepartiesordatadirectlyimpacted.The providershouldincludespecificpertinentinformationinthenotification,stopthedatabreachasquickly aspossible,restoresecureaccesstotheserviceassoonaspossible,applybestpracticeforensicsin investigatingthecircumstancesandcausesofthebreach,andmakelongterminfrastructurechangesto correcttherootcausesofthebreachtoensurethatitdoesnotrecur.Duetothehighfinancialand
Copyright2012CloudStandardsCustomerCouncil
Page26
reputationalcostsresultingfromabreach,consumersmaywanttheprovidertoindemnifythemifthe breachwastheirfault. Metricsandstandardsformeasuringperformanceandeffectivenessofinformationsecurity managementshouldbeestablishedpriortosubscribingtocloudservicesandshouldbespecifiedinthe cloudSLA.Ataminimum,organizationsshouldunderstandanddocumenttheircurrentmetricsand howtheywillchangewhenoperationsmakeuseofcloudcomputingandwhereaprovidermayuse different(potentiallyincompatible)metrics.Refertothefollowingresourcesforspecificinformationon securitymetrics: ISO27004:2009 16 NISTSpecialPublication(SP)80055Rev.1,PerformanceMeasurementGuideforInformation Security 17 CISConsensusSecurityMetricsv1.1.0 18
Measuringandreportingonaproviderscompliancewithrespecttodataprotectionisatangiblemetric oftheeffectivenessoftheoverallenterprisesecurityplan.Adatacompliancereportshouldberequired fromthecloudproviderandreflectsthestrengthorweaknessofcontrols,services,andmechanisms supportedbytheproviderinallsecuritydomains. Theimportanceofroleclarityisincreasedwhendiscussingsecurityimplications.Thisisalso complicatedbythecloudcomputingtechnicalarchitecture.Eachcloudcomputingmodelrequires distinctresponsibilitiesfortheproviderandconsumer. IntheIaaSmodel,theonusforsecuringandreportingupontheinfrastructurefallsontheprovider,but allresponsibilityforthesoftwarestackfromtheoperatingsystemtotheapplicationistheresponsibility oftheconsumer. 19 InthePaaSmodel,theproviderisresponsibleforsecuringtheinfrastructureand platform,andtheresponsibilityoftheapplicationlieswiththeconsumer.Finally,intheSaaSmodel,the providerhastotalresponsibilityforsecurity.Eveninaninstancewheretheproviderbearsall responsibility,theconsumershouldvalidatethattheproviderhasinstitutedtheappropriatemeasures toensureasecureenvironment.
16
17
18
19
Thecloudproviderisresponsibleforloggingandtimelydataretrievalandprovisiontotheconsumerinan incidentresponsescenario.
Copyright2012CloudStandardsCustomerCouncil
Page27
Step10:Understandthesecurityrequirementsoftheexitprocess
Theexitprocessorterminationoftheuseofacloudservicebyaconsumerrequirescareful considerationfromasecurityperspective.Theoverallneedforawelldefinedanddocumentedexit processisdescribedintheCSCCdocument"PracticalGuidetoCloudServiceLevelAgreements,Version 1.0". Fromasecurityperspective,itisimportantthatoncetheconsumerhascompletedthetermination process,"reversibility"or"therighttobeforgotten"isachievedi.e.noneoftheconsumer'sdata shouldremainwiththeprovider.Theprovidermustensurethatanycopiesofthedataarewipedclean fromtheprovider'senvironment,wherevertheymayhavebeenstored(i.e.includingbackuplocations aswellasonlinedatastores).Notethatotherdataheldbytheprovidermayneed"cleansing"of informationrelatingtotheconsumer(e.g.logsandaudittrails),althoughsomejurisdictionsmayrequire retentionofrecordsofthistypeforspecifiedperiodsbylaw. Clearly,thereistheoppositeproblemduringtheexitprocessitselftheconsumermustbeableto ensureasmoothtransition,withoutlossorbreachofdata.Thustheexitprocessmustallowthe consumertoretrievetheirdatainasuitablysecureform,backupsmustberetainedforagreedperiods beforebeingeliminatedandassociatedeventlogsandreportingdatamustalsoberetaineduntilthe exitprocessiscomplete.
CloudSecurityAssessment
Thecriticalquestionsthatcloudconsumersshouldaskthemselvesandtheircloudprovidersduringeach stepofthesecurityassessmentarehighlightedinTable6.
Table6.CloudSecurityAssessment SecurityStep 1.Ensureeffectivegovernance,risk andcomplianceprocessesexist AssessmentQuestions Doestheconsumerhavegovernanceandcomplianceprocessesin placefortheuseofcloudservices? Doestheproviderhaveappropriategovernanceandnotification processesfortheirservices,asrequiredbytheconsumer? Isitclearwhatlegalandregulatorycontrolsapplytotheprovider's services? Isauditinformationavailablefortheproviderservices?Doesthe auditinformationconformtooneoftheacceptedstandardsfor securityauditsuchasISO27001? Doestheproviderhavemechanismsinplacetoprovidereporting forbothnormalorexceptionbehaviorrelatingtotheirservices? Isitclearthattheprovider'smanagementinterfaces(foruseby consumers)haveadequatesecuritycontrolsinplace? IsthereanIncidentReportingandIncidentHandlingprocessthat meetstheneedsoftheconsumer? Dotheproviderservicesofferfinegrainedaccesscontrol? Issinglesignonpossiblewiththeprovider'sservices? Cantheprovidergivereportsformonitoringuseraccess? Isitpossibletointegrateconsumeridentitymanagementwiththe
2.Auditandensureproperreporting ofoperationalandbusinessprocesses
3.Managepeople,rolesandidentities
Copyright2012CloudStandardsCustomerCouncil
Page28
4.Ensureproperprotectionofdata andinformation
5.Enforceprivacypolicies
6.Assessthesecurityprovisionsfor cloudapplications
7.Ensurecloudnetworksand connectionsaresecure
8.Evaluatesecuritycontrolson physicalinfrastructureandfacilities
9.Managesecuritytermsinthecloud SLA
10.Understandthesecurity requirementsoftheexitprocess
identitymanagementfacilitiesoftheprovider? Isthereadataassetcatalogforalldatawhichwillbeusedorstored inthecloudenvironment? Isthereadescriptionofresponsiblepartiesandroles? Hasthehandlingofallformsofdatabeenconsidered,inparticular unstructureddatasuchasimages? Forstructureddataheldindatabaseswithinthecloudprovider's environment,isthereproperseparationofdatabelongingto differentconsumersinamultitenantenvironment? Hasappropriateconfidentiality,integrityandavailabilitybeen appliedtodatausedorstoredinthecloudenvironment? IsPIIgoingtobestored/processedbythecloudservices? Dotheprovider'sserviceshaveappropriatecontrolsinplacefor handlingPII? AreresponsibilitiesforhandlingPIIstatedintheSLA? Ifthereisasecuritybreach,areresponsibilitiesforreportingand resolvingthebreachclear,includingprioritiesandtimescales? Isitclearwhetherresponsibilityforapplicationsrunningoncloud infrastructurelieswiththeconsumerorwiththeprovider? Wheretheresponsibilitylieswiththeconsumer,doestheconsumer havegovernanceandpoliciesinplacethatensuretheappropriate securityprovisionsareappliedtoeachapplication? Wheretheresponsibilitylieswiththeprovider,doestheSLAmake theprovider'sresponsibilitiesclearandrequirespecificsecurity provisionstobeappliedtoeachapplicationandalldata? Isnetworktrafficscreened? Doestheprovider'snetworkhaveintrusiondetection&prevention inplace? Doesthenetworkprovidetheconsumerwithloggingand notification? Isthereseparationofnetworktrafficinasharedmultitenant providerenvironment? Isconsumernetworkaccessseparatedfromprovidernetwork access? Canthecloudserviceproviderdemonstrateappropriatesecurity controlsappliedtotheirphysicalinfrastructureandfacilities? Doestheserviceproviderhavefacilitiesinplacetoensure continuityofserviceinthefaceofenvironmentalthreatsor equipmentfailures? Doesthecloudserviceproviderhavenecessarysecuritycontrolson theirhumanresources? DoesthecloudSLAspecifysecurityresponsibilitiesoftheprovider andoftheconsumer? DoestheSLArequirethatallsecuritytermsmustalsopassdownto anypeercloudserviceprovidersusedbytheprovider? DoestheSLAhavemetricsformeasuringperformanceand effectivenessofsecuritymanagement? DoestheSLAexplicitlydocumentproceduresfornotificationand handingofsecurityincidents? Isthereadocumentedexitprocessaspartofthecontract/SLA? Isitclearthatallconsumerdataisdeletedfromtheprovider's
Copyright2012CloudStandardsCustomerCouncil
Page29
Copyright2012CloudStandardsCustomerCouncil
Page30
AdditionalReferences
CloudStandardsCustomerCouncil(2011).PracticalGuidetoCloudComputing. http://www.cloudcouncil.org/10052011.htm Thisguideprovidesapracticalreferencetohelpenterpriseinformationtechnology(IT)andbusiness decisionmakersadoptcloudcomputingtosolvebusinesschallenges. Mell,P.,&Grance,T.(2011).TheNISTDefinitionofCloudComputing(Draft):Recommendationsofthe NationalInstitute.Gaithersburg:NationalInstituteofStandardsandTechnology. http://csrc.nist.gov/publications/drafts/800145/DraftSP800145_clouddefinition.pdf Thiswhitepaperdefinescloudcomputing,thefiveessentialcharacteristics,threeservicemodels,and fourdeploymentmodels. Article29DataProtectionWorkingParty.Opinion05/2012onCloudComputing. http://ec.europa.eu/justice/dataprotection/article29/documentation/opinion recommendation/files/2012/wp196_en.pdf InthisOpiniontheArticle29WorkingPartyanalysesallrelevantissuesforcloudcomputingservice providersoperatingintheEuropeanEconomicArea(EEA)andtheirclientsspecifyingallapplicable principlesfromtheEUDataProtectionDirective(95/46/EC)andtheeprivacyDirective2002/58/EC(as revisedby2009/136/EC)whererelevant. IBM(2011).CraftaCloudServiceSecurityPolicy http://www.ibm.com/developerworks/cloud/library/clcloudsecurepolicy/ Inthisarticle,theauthorexplainshowtocraftacloudsecuritypolicyformanagingusers,protecting data,andsecuringvirtualmachines. Catteddu,D.&Hogben,G.(November2009).CloudComputing:Benefits,risksandrecommendations forinformationsecurity.EuropeanNetworkandInformationSecurityAgency. http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputingriskassessment. Thiswhitepaperprovidessecurityguidanceforpotentialandexistingusersofcloudcomputing. CloudSecurityAlliance(August15,2010).CSAGRCStackincludingCCMv1.1. https://cloudsecurityalliance.org/research/initiatives/grcstack/ ThisisanintegratedsuiteoffourCSAinitiatives:CloudAudit,CloudControlsMatrix,Consensus AssessmentsInitiativeQuestionnaireandtheCloudTrustProtocol. CloudSecurityAlliance(2011).SecurityGuidanceforCriticalAreasofFocusinCloudComputingVersion 3.0.http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf Thisdocumentprovidesanactionable,practicalroadmaptomanagerswantingtoadoptthecloud paradigmsafelyandsecurely.
Copyright2012CloudStandardsCustomerCouncil
Page31
Daskala,B.&Marinos,L.EFR(March,2010).EmergingandFutureRisksFramework,Introductory Manual.EuropeanNetworkandInformationSecurityAgency. http://www.enisa.europa.eu/act/rm/files/deliverables/efrframeworkhandbook. ThishandbookprovidesthedocumentationoftheEFRFrameworkwhichconsistsofascenariobased processmodeldevelopedinordertoassessandmanageemergingandfuturerisks. Mather,T.,Kumaraswamy,S.,&Latif,S.(2009).CloudSecurityandPrivacy:AnEnterprisePerspectiveon RisksandCompliance.OReillyMedia. http://www.amazon.com/CloudSecurityPrivacyEnterprisePerspective/dp/0596802765. InsightfromknowledgeableexpertsincludingaformerChiefSecurityStrategistforRSAonhowtokeep yourvirtualinfrastructureandwebapplicationssecure.
AppendixA:WorldwidePrivacyRegulations
Region AsiaPacificregion,Japan, Australia,NewZealand,and others Regulation Theseregionshaveadopteddataprotectionlawsthatrequirethedata controllertoadoptreasonabletechnical,physical,andadministrativemeasures inordertoprotectpersonaldatafromloss,misuse,oralteration,basedonthe PrivacyandSecurityGuidelinesoftheOrganizationforEconomicCooperation andDevelopment(OECD) 20 ,andtheAsiaPacificEconomicCooperations (APEC)PrivacyFramework. 21 InJapan,thePersonalInformationProtectionAct 22 requirestheprivatesectors toprotectpersonalinformationanddatasecurely.Inthehealthcareindustry, professionspecificlaws,suchastheMedicalPractitioners'Law 23 ,theLawon PublicHealthNurses,MidwivesandNurses 24 ,andtheDentistLaw 25 ,require
Japan
20
21
22
ActontheProtectionofPersonalInformation(ActNo.57of2003)see http://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdffordetails.
23
MedicalPractitioners'Law(LawNo.201ofJuly30,1948)http://jalii.law.nagoya u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdf
24
LawonPublicHealthNurses,MidwivesandNurses(LawNo.203ofJuly30,1948)http://jalii.law.nagoya u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdf
25
DentistsLaw(LawNo.202ofJuly30,1948)seehttp://jalii.law.nagoya u.ac.jp/official_gazette/pdf/19480730f_eb.00000.010.010_0010.0010.0_a.127600.01217100.pdffordetails.
Copyright2012CloudStandardsCustomerCouncil
Page32
registeredhealthprofessionalstoprotecttheconfidentialityofpatient information. Europe,Africa,MiddleEast TheEuropeanEconomicArea(EEA)30MemberStateshaveenacteddata protectionlawsthatfollowtheprinciplessetforthinthe1995EuropeanUnion (EU)DataProtectionDirectiveandthe2002ePrivacyDirective(asamendedin 2009).Theselawsincludeasecuritycomponent,andtheobligationtoprovide adequatesecuritymustbepasseddowntosubcontractors. OthercountriesthathaveclosetieswiththeEEA,suchasMoroccoand TunisiainAfrica,IsraelandDubaiintheMiddleEasthavealsoadoptedsimilar lawsthatfollowthesameprinciples.
Americas
North,Central,andSouthAmericancountriesarealsoadoptingdataprotection lawsatarapidpace.Eachoftheselawsincludesasecurityrequirementthat placesonthedatacustodiantheburdenofensuringtheprotectionand securityofpersonaldatawhereverthedataarelocated,andespeciallywhen transferringtoathirdparty. InadditiontothedataprotectionlawsofCanada26 andArgentina 27 whichhave beeninexistenceforseveralyears,Colombia,Mexico,Uruguay,andPeruhave recentlypasseddataprotectionlawsthatareinspiredmainlyfromthe EuropeanmodelandmayincludereferencestotheAPECPrivacyFrameworkas well.
UnitedStates
ThereisnosingleprivacylawintheUnitesStates.Arangeofgovernment agencyandindustrysectorlawsimposeprivacyobligationsinspecific circumstances.Therearenumerousgapsandoverlapsincoverage. Currentindustrysectorprivacylawsinclude: o TheFederalTradeCommissionAct 28 whichprohibitsunfairor deceptivepracticesthisrequirementhasbeenappliedtocompany privacypoliciesinseveralprominentcases. TheElectronicCommunicationsPrivacyActof1986 29 whichprotects consumersagainstinterceptionoftheirelectroniccommunication (withnumerousexceptions).
26
PersonalInformationProtectionandElectronicDocumentsAct(PIPEDA)seehttp://laws lois.justice.gc.ca/eng/acts/P8.6/fordetails.
27
28
29
Seehttp://frwebgate.access.gpo.gov/cgi bin/usc.cgi?ACTION=RETRIEVE&FILE=$$xa$$busc18.wais&start=3919965&SIZE=21304&TYPE=TEXTfordetails.
Copyright2012CloudStandardsCustomerCouncil
Page33
o o
TheHealthInsurancePortabilityandAccountabilityAct(HIPAA) 30 whichcontainsprivacyrulesapplyingtocertaincategoriesofhealth andmedicalresearchdata. TheFairCreditReportingAct 31 includesprivacyrulesforcredit reportingandconsumerreports. TheGrammLeachBlileyAct(GLBA) 32 governthecollection, disclosure,andprotectionofconsumersnonpublicpersonal informationforfinancialinstitutions Theselawsholdorganizationsresponsiblefortheactsoftheir subcontractors.Forexample,thesecurityandprivacyrulesunder GLBAorHIPAArequirethatorganizationscompeltheir subcontractors,inwrittencontracts,tousereasonablesecurity measuresandcomplywithdataprivacyprovisions.
AppendixB:Acronyms&Abbreviations
Abbreviation Meaning
30
31
32
33
Copyright2012CloudStandardsCustomerCouncil
Page34
CSCC ENISA IaaS IEC ISACA ISO PaaS PCI PII SaaS SLA SSAE
CloudStandardsCustomerCouncil EuropeanNetworkandInformationSecurityAgency InfrastructureasaService InternationalElectrotechnicalCommission InformationSystemsAuditandControlAssociation InternationalStandardsOrganization PlatformasaService PaymentCardIndustry(SecurityStandardsCouncil) Personallyidentifiableinformation SoftwareasaService ServiceLevelAgreement StatementonStandardsforAttestationEngagements
Copyright2012CloudStandardsCustomerCouncil
Page35