0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
124 Ansichten47 Seiten
This document provides an analysis of the Amazon S3 cloud storage service with a focus on confidentiality. It begins with background on the authors and support for the research. It then discusses previous work analyzing cloud security risks and frameworks. The main body analyzes Amazon S3's security features for protecting confidentiality as required by the FedRAMP guidelines. It discusses challenges in fully evaluating cloud security and aims to improve security frameworks based on vulnerabilities discovered. The goal is to increase security for information stored in the cloud which could benefit both government and private users.
Originalbeschreibung:
Discussion of how Amazon Web Services relates to the FedRAMP Guidelines
This document provides an analysis of the Amazon S3 cloud storage service with a focus on confidentiality. It begins with background on the authors and support for the research. It then discusses previous work analyzing cloud security risks and frameworks. The main body analyzes Amazon S3's security features for protecting confidentiality as required by the FedRAMP guidelines. It discusses challenges in fully evaluating cloud security and aims to improve security frameworks based on vulnerabilities discovered. The goal is to increase security for information stored in the cloud which could benefit both government and private users.
This document provides an analysis of the Amazon S3 cloud storage service with a focus on confidentiality. It begins with background on the authors and support for the research. It then discusses previous work analyzing cloud security risks and frameworks. The main body analyzes Amazon S3's security features for protecting confidentiality as required by the FedRAMP guidelines. It discusses challenges in fully evaluating cloud security and aims to improve security frameworks based on vulnerabilities discovered. The goal is to increase security for information stored in the cloud which could benefit both government and private users.
Joseph Beckman, Ph.D. Student, Center for Education and Research in Information Assurance and Security (CERIAS), Purdue University Matthew Riedle, M.S. Student, Cyber Forensics in Computer Information Technology, Purdue University Hans Vargas, M.S. Student, Center for Education and Research in Information Assurance and Security (CERIAS), Purdue University.
This research was supported by Dr. Brandeis Marshall and Dr. Melissa Dark as part of the INSuRE (The Information Security Research and Education) Research Grant, as well as the National Security Agency (NSA) sponsoring and providing unclassified problems to be researched. Correspondence concerning this paper should be addressed to Joseph Beckman, Matthew Riedle, and Hans Vargas, Purdue University, West Lafayette, IN 47906 Contact: beckmanj@purdue.edu, mriedle@purdue.edu, hvargas@purdue.edu
3 Abstract 1
Distributed computing is a familiar concept within computer science. Public distributed computing, better known as cloud computing services, is a relatively new concept in the marketplace. In recent years, individuals, corporations, and government agencies have begun to leverage the resources of the Internet to perform tasks that had previously been limited to in- house computer networks. Providers of these resources, collectively referred to as Cloud Service Providers (CSPs), tout numerous benefits of their use, including the reduction of IT costs. Prospective customers, however, should take a serious look at the risks, vulnerabilities, and threats that may take place when relocating their resources to the cloud. The impacts of cloud usage upon information security as it relates to confidentiality are not well understood, and for that reason our research focuses on the Amazon S3 cloud storage service and as a case study related to confidentiality from which to provide recommendations for improvement to existing cloud security frameworks.
Analysis of Amazon S3 Cloud Services Introduction Previous work 2 categorizing risks within cloud computing identified threat and vulnerability profiles of three major CSPs, comparing them against security controls required by FedRAMP in order to approve the federal agencies migration of services to the cloud. This project will focus primarily on federal agencies as the customer base of cloud services, but will also take under consideration that private sector customers would benefit from security guidelines established by FedRAMP adopters. Amazon Web Services (AWS) was one of the first CSPs to be deemed compliant with FedRAMP cloud storage service security guidelines which certified Amazons S3 cloud storage service for use by United States federal government agencies. This project will attempt to describe and explain the existence, usability and effectiveness of these security features related to Amazon S3 with respect to the protection of confidentiality within the Infrastructure-as-a- Service (IaaS) domain. It will also lay the groundwork for updating and adapting the existing guidelines to more efficiently audit CSPs, as well as provide analysis based on open source intelligence regarding the realization of vulnerabilities, adoption of remedial actions from providers and customers.
2 Vargas, Toriola (2012) Public Cloud Providers: A Risk Matrix. 5
Motivation The aim of this project, through the evaluation of Amazon S3 cloud services and the re- evaluation of the FedRAMP cloud services security guidelines, is to bring a greater level of security to information stored in the cloud. Increasing the level of security in the cloud is an important act to the field of information security, to the United States government, and to anyone who uses cloud services. While this project will focus on the cloud security policies and processes of the United States federal government, it has the potential to impact much of the worlds population because of the widespread use of services like free e-mail, which operates mainly as a cloud service. Efforts to bring greater security to the cloud face many challenges that will impact this project. The nature of cloud services, and one of the greatest benefits of this architecture, is the lack of exposure of the systems back-end processes to the user. When evaluating the security of such a system, however, the inability to examine these processes directly reduces the effectiveness and meaningfulness of a security audit. Additionally, the cloud environment is very dynamic; services are added, changed, and removed often as user needs and behaviors change. As a result, our ability to produce changes to any security auditing framework that will be durable and enduring will be will be limited to studying the effects that are possible to analyze from the standpoint of a normal commercial service deployment. While not being able to see the full impact of this project, we know that it is a relevant issue to everyone. The motivation that is driving us to address this problem is the potential for its solution to have wide-ranging impacts on any customer using web storage services.
6
Previous Work An initial work on this project related to Public Cloud Providers was conducted as part of the semester Fall-2012. That research presented an overview of the three major cloud service providers: Amazon, Microsoft, and Google; and the determination of common threats and vulnerabilities. Another important aspect was the evaluation of security controls available to mitigate risk, specifically when Federal Agencies were considering transferring services to the cloud. Institutions like FedRAMP (based on NIST standards) and CSA were consulted as providers of guidelines and benchmarks for security in the cloud, as well as other, more specific risk frameworks. As a result, a risk matrix was developed that displayed a match between risk and security controls. The trend towards moving services to cloud computing is relatively new, existing literature on the topic of security in cloud computing tends to focus on one or more of three areas: analyzing the security of cloud service providers (CSPs) environments, providing an overview of the security landscape of cloud deployment models 3 , or creating an overall framework for a more secure use of the cloud. Each of these three themes is addressed from various perspectives, although comparisons tend to be rather straightforward and technical (Batten, 2012)(Shraer, 2010)(Agrawal, 2010). Some of the work providing an overview of cloud security discusses security in the cloud from the perspective of a particular discipline, such as business (Gurkok, 2013). Others focus on aspects of the cloud security landscape like institutional impact (Ksherti, 2013), or technical vulnerabilities (Marinescu, 2013). Given the variety of missions being addressed by the myriad government agencies that may derive benefit from and consider using Infrastructure-as-a-Service in the cloud, literature using all of these
3 IaaS, PaaS, SaaS. 7 approaches will be valuable in forming our evaluation of Confidentiality in the Amazon S3 service. Though some have attempted to create general frameworks for more secure cloud computing (Cloud Security Alliance, 2013)(Mouratidis, 2013) frameworks are also coming into existence that are focused by discipline or organization type. FedRAMP guidelines for United States federal government cloud service providers are focused broadly on the needs of the federal government; as SAS-70 Type II accounting audit guidelines are applied to cloud computing from the perspective of financial auditing. In order to provide a comprehensive assessment of the Confidentiality aspect of security within the Amazon S3 Infrastructure-as-a-Service platform, we will consider existing discipline-related overviews and frameworks along with work relating to specific aspects of cloud security that touch on confidentiality 4 . For the purposes of this analysis, we have categorized the issues facing the topic into the following themes.
General Cloud Security Issues Astrova et al. (2012) reviewed the state of current security in cloud environments and their relationship to CIAAA 5 . The relevance of this subject lays on the analysis of the basis of security, and the challenges introduced by cloud computing in the context of both benefits and drawbacks. One of the arguments presented is that the use of cloud services does not necessarily lower the customers security level, meaning that those levels should be based on the customers requirements of security; which inevitably will lead to the identification of security
4 Preserving authorized restrictions on access and disclosure, by protecting personal privacy and proprietary information. 5 Confidentiality, Integrity, Availability, Authentication and Authorization 8 levels offered by CSPs. In order to accomplish this, BSI 6 guidelines, which established minimum-security requirements for cloud providers, were used as they describe security levels for the K.O. (knock-out) criteria matrix. These criteria attempts to assess the security level of cloud providers, with emphasis on Amazon as a cloud provider. The BSI represents one type of benchmark similar to other efforts (FedRAMP in the US) that attempt to determine a security level. Similarly, potential users of cloud services could benefit from the existence of a cloud certification authority that ensures the transparency of CSPs with respect to their security levels. Such a level of security could be determined by using the K.O. criteria, providing customers with better tools to choose cloud providers based on their security capabilities. In an increasing scale, more and more CSPs are partnering with specialized security providers, in a Security-as-a- Service model, to enhance cloud level of security for their customers. These services are directly aimed to increase confidentiality rather than availability 7 . According to Xiaoqi Ma (2012), the analysis of potential security risks related to cloud services -as they relate to confidentiality, integrity and availability (CIA)- attempt to provide answers focused on privacy. From data privacy protection to data integrity in cloud services, his research represents a broad overview of security problems and proposed solutions. In the meantime, Behl and Behl (2012) reviews the key challenges of implementing cloud security solutions for a dynamic and changing cloud environment; it conducts analysis in order to consider detailed specifications of the problem and descriptions of must have features for a security solution. Some of the reasons that represent major concerns
6 Federal Office for Information Security (Bundesamt fr Sicherheit in der Informationstechnik). 7 Ensuring timely and reliable access to and use of information 9 regarding security are: loss of control while moving services to the cloud, multi-tenancy or the co-residence of same logical/physical mediums, and service level agreements (SLAs) as the assurance of the right expectations are considered. It further details the need for information integrity and privacy as well as identity federation. It concludes by recommending that cloud security management should be enhanced in order to better control and manage user data; in addition to that, it suggests that security should become a wrapper to all cloud deployment models in a multilayer security solution. Behl et al. (2012), however, reviews the key challenges of implementing cloud security solutions for a dynamic and changing cloud environment. They conduct analysis in order to consider detailed specifications of the problem of security in cloud computing and descriptions of required features for a security solution. Some areas of major concern regarding security are: loss of control while moving services to the cloud, multi-tenancy or the co-residence of same logical/physical mediums, and SLAs as the assurance of the right expectations are considered. It further details the need for information integrity and privacy as well as identity federation. Behl et al. conclude by recommending that cloud security management should be enhanced in order to better control and manage user data; and it suggests that security should become a wrapper to all cloud deployment models in a multilayer security solution. Contrary to some assumptions, moving to a cloud environment does not eliminate the risk associated with security. In fact, outsourcing-computing resources to the cloud generates major new security and privacy concerns. Moreover, service layer agreements (SLAs) might not provide adequate legal protection for cloud computer users, who are often left to deal with events beyond their control.
10 Amazon Computing Some of the literature that we sought was related to specific Amazon cloud computing services, this effort resulted in the discovery of some literature that brings a light of computing services related to Amazon. Marinescu (2013) suggests that an in-depth study of cache placement decisions over various cloud storage options would be beneficial to a large class of users through data persistence, monetary costs, and high performance needs of AWS in order to generate cost- effective data placement strategies. Marinescu describes what adequate caching strategies 8 could represent for cloud services. The costs considered are for Amazons S3, EC2 9 and EBS 10 , and are then used to obtain relevant data through a series of experiments for cost evaluation. The relevance of this paper is on the analysis of how these different services could be distinguished from each other based on the cost effectiveness of each one. Garfinkel (2007) article, was considered as a way to show the progress in authentication mechanisms, from simple authentication strategy based on the SHA1-HMAC algorithm to todays four mechanisms for controlling access to Amazon S3 resources: Identity and Access Management (IAM) policies, bucket policies, Access Control Lists (ACLs) and query string authentication. Abundant information about these four access control mechanisms are available from Amazon S3 Access Control 11 , where each feature and capability are described. With IAM policies, customers can grant IAM users fine-grained control to their Amazon S3 bucket or
8 Caches can be deployed to maintain some set of precomputed/intermediate data for reuse. Especially in scientific applications, precomputed data could not only replace the need to tirelessly compute redundant information, but it can also significantly reduce the amount of data transfer required. 9 Amazon Elastic Compute Cloud (Amazon EC2) 10 Amazon Elastic Block Store (Amazon EBS) 11 Access Control. Retrieved from: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html 11 objects while also retaining full control over everything the users do. With bucket policies, companies can define rules, which apply broadly across all requests to their Amazon S3 resources, such as granting write privileges to a subset of Amazon S3 resources. Customers can also restrict access based on an aspect of the request, such as HTTP referrer and IP Address. With ACLs, customers can grant specific permissions (i.e. read, write, full_control) to specific users for an individual bucket or object. With query string authentication, customers can create a URL to an Amazon S3 object, which is only valid for a limited time.
Concerns about Security in the Cloud Storage Cloud storage as a service is becoming a sought after commodity, this growing trend has also raised concerns about the underlying security concerns about this service. Regarding this concern Chou et al. (2013) discuss overall security weaknesses that exist in several different cloud architectures through the investigation of three of the most popular data storage CSPs: Microsoft SkyDrive, Google Drive, and Dropbox. However, the weaknesses are not specific to these CSPs, and could very well exist in Amazon's S3 data storage service. The main point of Chou is that even though the data is encrypted while uploading to or downloading from the cloud servers, the weakness lies in the data as it is shared with others. There are three identified methods of sharing: public, private, and secret URLs. Public sharing is the easiest and is achieved by publishing a URL by which anyone can access the data. Private sharing is used by forcing anyone the data will be shared with to be verified through email, and then logs into the dropbox application in order to view the data. A secret URL is a cross between the other sharing methods in which a unique URL is generated which the owner can send to anyone they wish to share the data with without needing any further authentication. 12 For instance, the cloud security of Dropbox, Google Drive, and Microsoft SkyDrive are all compared to have similar weaknesses, mostly pertaining to a lack of user authentication with the sharing of data. This could be fixed by looking at how invitations to view the data can be rendered useless after they have been activated. Preventing these links from continuing to work after the recipient has used them; along with setting up a method to require a password in order to use that link will help tighten down the security of sharing data in the cloud. From this analysis we found ideas for investigating new security policies for cloud security. The first chapter of Yangs and Jias (2014): Security for Cloud Storage Systems, explores aspects of cloud technology, defining how they operate with data storage. Several items, including on-demand self-service and network access, are already expected by the users of cloud services when storing personal data. From there, there are two main threats described to plague cloud providers. The first issue pertains to data integrity; users should be confident that the cloud provider is correctly managing their personal data, especially after they want to delete it. The second issue that arises pertains to access control; this issue is also due to the user being forced to trust the cloud server for their access control policies. While the data integrity issue is outside of our scope for this project, the access control information presented in this book will be very useful in not only assessing the weakness of access control in cloud architectures, but it also provides several concepts at how to fix these holes.
13 A Comparison of Approaches to Cloud Security
Tajadod et al. (2012) is based on the comparison of two CSPs, and it goes into detail exploring those differences. We found relevant information about Amazon S3 as it details its services in order to elaborate for the corresponding comparison. This description of security features is presented following CIA. For Confidentiality it describes Amazon IAM 12 MFA 13 , and Key Rotation. With respect to Integrity, it describes encryption via SSL and HTTPS from client and server sides as well as HMAC (hash-based message authentication code). Finally for Availability, it specifies the SLA of Amazon as well as data replication capabilities.
Securing Cloud Services against Attacks
The securing of cloud services could obey reactive and proactive measures, and in that regard Boot, Soknacki, and Somayaji provide an overview of security in the cloud computing environment, but approach their overview from the perspective of potential attackers. This overview, using descriptive methods, considers the various attacks that can be perpetrated upon a client-server model, and then reduces the scope of these attacks to those that would impact the current cloud environment, specifically one employing Hypervisor. The authors found that attacks relating to denial-of-service, breach of confidentiality, and compromise of data integrity are all applicable within the cloud. In relation to data confidentiality, the cloud adds a new threat of data colocation to those of typical client-server security issues. Through colocation, an
12 Identity and Access Management. 13 MFA: Multi-Factor Authentication 14 attacker may be able to gain access to sensitive data residing on a cloud server by gaining access to the server through the account of a user using weaker authentication techniques. This paper also discuss the possibility of users with administrative-level access compromising sensitive data either maliciously or accidentally. Though the authors feel that data encryption and monitoring are important steps in ensuring the confidentiality of data in the cloud, these solutions remain vulnerable to traffic analysis and cryptographic weaknesses and would require additional burden upon cloud providers. A document, written by Cem Gurkok (2013) as a chapter in the book, Computer and Information Security Handbook, presents a view of cloud computing from a very strategic level. Gurkok begins his work with an overview of the types of cloud computing platforms (SaaS, IaaS, and PaaS), moves on to discuss security issues common to cloud services, and then describes security issues specific to the types of cloud platforms. Gurkoks descriptive methods are comprehensive and are able to analyze cloud security through the lens of the CIA triad, while subdividing these issues by discipline (legal, technical, etc.), and by operative system (infrastructure, operating system, application, etc.). The strategic level of this document provides a starting point for the narrowing of our analysis of the problem space. Auditing is addressed by Yu, Niu, Yang, Mu, and Susilo (2014) focuses not on cloud security itself, rather on the function of auditing cloud services for security. This paper is the result of conducting active attacks on cloud services, which showed that current auditing tools, such as Oruta and Knox, failed to provide evidence that the authenticity and integrity of stored files had been breached. In response, these authors propose a new framework that accounts for the actions of an attacker who is active on the system and working against the goals of the auditors. Though this work does not speak directly to the framework for security in the cloud 15 environment, it does present both the security audit process, and its current vulnerabilities. An important aspect of our proposed framework, and of any security framework, should be the ability to audit and verify the security of the system. Understanding these processes will be important to the creation of a robust framework and successful evaluation of the Amazon S3 service. Trustworthiness is researched by Shraer et al. (2010) especially after some identified 14
high-profile incidents as they related to data integrity and consistency and their relationship to Confidentiality (through encryption) and availability (through resilience and protection against loss). Venus is a service for securing user interactions with untrusted cloud storage, by guaranteeing integrity and consistency. Even though this research represents an external mechanism that could be added transparently to the cloud storage service (Amazon S3), it provides evidence of the capability of this CSP infrastructure being able to support verification mechanisms in their commodity cloud storage service. A split-brain simulated attack from a system with two clients was performed in order to evaluate how venus detects service violations, successfully identifying inconsistencies. This work represents external attempts [to cloud providers] that enhance current storage solutions with insignificant overhead added.
Customers Role in Cloud Security The role of customers in the acquisition, configuration, used and allocation of cloud services falls under the responsibility of the customers in the exploitation of vulnerabilities. Kshertis (2013) paper, from the journal Telecommunications Policy, states that a discrepancy exists between the security claims of cloud computing vendors and users of cloud computing
14 Amazon S3s silent data corruption, a privacy breach in Google Docs, and ma.gnolias data loss. 16 services. His largely descriptive study cites statistics from popular press surveys about the security fears of cloud computing users to support his assertion. Ksherti also uses these surveys as a jumping off point to discuss the institutions surrounding cloud computing, and how they should be modified to build greater levels of security into the fabric of these institutions. Specifically, he suggests the formation, through legal, technical, and social means, of a normative culture of security in cloud computing. Given the size and diversity of missions within the United States federal government, the importance of the culture of use surrounding cloud computing in this environment cannot be overstated. This work will inform aspects of the modified framework and evaluation of the Amazon S3 service that we provide in our work.
Security Framework for Cloud Services A cloud security framework is presented by Nayak et al. (2012) detailing three phases: server initialization, registration, and authentication, of cloud security that benefit from incorporating user authentication into the overall cloud models. User authentication is used, in the form of usernames and passwords in almost every system that people use on a daily basis, such as online shopping, email, and social media. These methods are already applied by AWS in their approach to cloud security, and the paper goes into detail about how the messages could be laid out between Amazon's authentication servers and the user in order to maximize authentication security. In the server authentication phase, each user is assigned a unique SK 15
which is used in further steps to authenticate the users. The second phase, registration, is dependent on whether the user is new or not. When a new user opens an Amazon S3 account, that user must register with an email address which will need to then be verified by the user.
15 Secret Key 17 When an existing user approaches Amazon S3, they proceed directly to the third step, user authentication, where the username and password combination is verified against Amazon's servers. This step can be further secured by using a Two-Factor Authentication device which would require an additional piece of information generated from a separate device in order to login to their account. Through the use of this security framework, Amazon S3 is able to thwart several attack methods, including non-reply attacks and man-in-the-middle attacks. The Cloud Security Alliance (CSA) (2014) has also produced a cloud security guidance that segments cloud computing security issues into several domains. Two domains that were the most relevant to Confidentiality were information management and data security (fifth domain), as well as identity, entitlement, and access management (twelfth domain). The authors recommend using a data security lifecycle for evaluating and defining cloud data security strategy as a high level overview of cloud security. Considering the vast number of computers in the world today, and the various forms of home PCs and mobile devices, security needs to be a top priority, especially when they are being used to access personal data from cloud services. Chow, et al. (2010) introduce a new framework of cloud access security, of particular use when on mobile devices, named TrustCube. This framework aims to add to the typical methods of authentication (what you know, what you have, and what you are) by including what you do, through keeping track of a user's habits. This TrustCube authentication would run on cloud servers and be able to be accessed by any CSP to more quickly authenticate users. Chow, Jakobsson, et. al (2010) were able to implement a version of TrustCube to work with mobile devices. They configured the software to keep track of user characteristics, including calling patterns, website access, and location. They also realize that while this software 18 is able to successfully authenticate the user, it is always advisable to include an additional method of authentication on the chance that it does not work. In their testing, the access control policies they designed, based off of personal habit characteristics, proved successful in authenticating the user and preventing unauthorized access with a low failure rate. While this system is not perfect at achieving authentication, it can prove beneficial to Amazon's S3 cloud services. A large portion of the S3 involves data storage, which users want quick access to from anywhere, hence using the cloud for their storage. By cloud providers, including Amazon S3, implementing the TrustCube dynamics, they will be able to provide quicker access for their users, allowing for better consumer satisfaction. The inclusion of user habits is also a great method of adding an additional security layer for users who are extremely security-conscious. Mouratidis, et. al. (2103) provide a systematic and structured framework to the cloud computing framework. Unlike other existing frameworks for cloud computing security, these authors approach the topic of cloud provider selection from a decidedly technical perspective. Although the approach is technical, descriptions within the work about high-level goal setting work well to inform a comprehensive approach to security in this environment. This work is also unique because it walks through a case study in building the proposed model. Despite the existence of FedRAMP as a tool for evaluation of the security of cloud providers for the United States federal government use, the section about secure cloud provider selection will highlight areas within FedRAMP that may need augmentation.
19
Methods Research was conducted on the confidentiality of data stored on the Amazon S3 Infrastructure-as-a-Service (IaaS) cloud storage environment for the purposes of developing guidelines supplemental to FedRAMP that better address issues of confidentiality within this environment. Time and financial constraints inherent in the course setting impacted both the scope and nature of this research. First and foremost, the overall research methodology was descriptive and qualitative as a result. Further, the scope of this project was narrowed to focus only on the Amazon S3 storage service, rather than a broader assortment of Amazons cloud service offerings, and only on the confidentiality aspect of the service, rather than all aspects of the C-I-A triad. The key aspect of research during this study was an extensive literature review, which began with general research of the cloud computing environment. Ultimately, this review was also narrowed necessarily to match the scope of the research question. Beyond narrowing the focus of the research to confidentiality metrics and issues relating to the Amazon S3 cloud storage service, issues and resolutions to issues that could not be verified either through testing or through an independent third-party were also removed from the scope of this research; however, Amazon has summarized how it complies with federal privacy laws (Amazon, 2014). The research methods supported the following research motive: The cloud computing environment is an extremely dynamic space, and several sets of guidelines are being developed to promote secure use of cloud storage resources. In this context, the research question to be answered in this study is, Are current FedRAMP guidelines sufficient to meet the challenges of data confidentiality faced by United States federal government agencies in the Amazon S3 cloud, 20 or should guidelines be added, changed, or segmented by level of security required for a project?
Discussion On February 8, 2011, the Chief Information Officer of the United States released the Federal Cloud Computing Strategy (FCCS) document (Kundra, 2011). The goal of this document was to set forth a strategy that would increase the efficiency of information technology use in the federal government both in terms of cost and time (Kundra, 2011, p. 1). The FCCS policy is designed to work in conjunction with, and in support of, the CIO's February 2010 Federal Data Center Consolidation Initiative (FDCCI), which seeks to raise data center efficiency through the elimination of 800 federal data centers by 2015 (Kundra, 2011, p. 8). Based on estimates by the federal Office of Management and Budget (OMB), 25% of federal IT spending was now being targeted for migration to cloud computing environments (Kundra, 2011, p. 1). Within the Decision Framework for Cloud Migration, the FCCS document does discuss security requirements to be considered when agencies make decisions about the type of cloud to be used, and the speed at which migration should occur (Kundra, 2011, pp. 11-14). FCCS frames the evaluation criteria for security considerations in the cloud in terms of the Federal Information Security Act (FISMA) requirements including, but not limited to Federal Information Processing Standards (FIPS), and lays the responsibility for maintaining the appropriate level of information security upon the individual agencies (Kundra, 2011, p. 13). FCCS does, however, recognize that security (and other) concerns are likely to produce different iterations of cloud computing within and among federal agencies by virtue of its recognition of NIST's definition of cloud service models (Kundra, 2011, p. 6), and deployment models 21 (Kundra, 2011, p. 5), including private clouds. It also recognizes the need for a transparent security environment between cloud providers and cloud consumers (Kundra, 2011, p. 26), and cites the 2010 Federal Risk Authorization Management Program (FedRAMP) as responsible for defining requirements for cloud computing security controls, including vulnerability scanning, and incident monitoring, logging and reporting, in support of the secure and transparent cloud security environment (Kundra, 2011, p. 26). Also according to the FCCS, the Department of Homeland Security will assist in the operational security of federal agencies using cloud services by publishing a list of top security threats related to the cloud as needed, whereas NIST will assist with continued monitoring of cloud solutions as outlined by the Six Step Risk Management Framework (Kundra, 2011, p. 26) cited as Special Publication 800-37, Revision 1 (Kundra, 2011, p. 26). In the problem space of cloud computing controls exist several solutions frameworks. FedRAMP, of course, applies to federal cloud computing and, consequently, plays a significant role in defining the solution space. Because of its role as a controls structure for the United States federal government, FedRAMP plays a significant role in that function for agencies that work with the United States federal government, such as: state agencies, universities, private firms, and foreign governments, as well as other entities that may not see the benefit in developing a further structure. Despite FedRAMP's stature in the space, various other previously mentioned controls structures exist. Organizations such as the Cloud Security Alliance (Cloud Security Alliance, 2013), and trade-based professional associations (Mouratidis, 2013) have also proposed control sets based on their own needs in cloud security. Our analysis has attempted to combine those controls that, in our view, represent the best confidentiality controls for cloud computing currently in existence across the community, compare the Amazon S3 service against these 22 augmented metrics, and return suggestions that are useful not only to Amazon S3, but to the cloud computing community broadly. The timeline shown below presents Amazons security and compliance releases that have impacted the security of the Amazon S3 cloud storage service that serve as the basis for the discussion of problems and issues that follows.
23
Cloud Provider Perspective: Amazon Web Services (AWS)
AWS Compliance timeline This compliance timeline shows security policies implemented and compliance events starting in 2009 with HIPAA to the first quarter of 2013 with improvements to IAM policy variables:
Date Security or Compliance Event Description 4/3/13 IAM Policy Variables Create policies containing variables that will be dynamically evaluated using context from the authenticated user's session. 3/26/13 AWS CloudHSM Use dedicated Hardware Security Module (HSM) appliances within the AWS Cloud. 3/11/13 VPC by default EC2 instances will be launched in a VPC for 24 new customers. Amazon Virtual Private Cloud (Amazon VPC)
11/19/12 Cross-account API access using IAM roles Delegate temporary API access to AWS services and resources within your AWS account without having to share long-term security credentials. 7/10/12 MFA-protected API access Enforce MFA authentication for AWS service APIs via AWS Identity and Access Management (IAM) policies. 6/11/12 IAM Roles Simplifies the process for applications to secure access AWS service APIs from EC2 instances. 1/30/12 AWS Trusted Advisor Self-service access to proactive alerts that identify opportunities to save money, improve system performance, or close security gaps. 11/11/11 Compliance Milestone: SOC 1, Type 2 Report
11/2/11 Support for virtual MFA devices Use a smartphone, tablet, or computer running any application that supports the open TOTP standard. 10/4/11 S3 server-side encryption Request encrypted storage when you store a new object in Amazon S3 or when an existing object is copied. 9/15/11 Compliance Milestone: FISMA Moderate
8/16/11 AWS GovCloud AWS Region designed to allow US government agencies and customers to move 25 more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. 8/3/11 AWS Direct Connect Enables you to bypass the public Internet when connecting to AWS. 12/7/10 Compliance Milestone: PCI DSS Level 1
11/18/10 Compliance Milestone: ISO 27001 9/2/10 AWS Identity and Access Management (IAM) Enables to securely control access to AWS services and resources for your users. 11/11/09 Compliance Milestone: SAS70 Type II Audit
8/31/09 AWS Multi-Factor Authentication (MFA) Provides an extra level of security that can be applied to AWS environment. 8/26/09 Amazon VPC Provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. 4/6/09 Compliance milestone: white paper for HIPAA-compliant data applications
For a extended and detailed account of security related improvements to Amazon S3 for the current 2014, see Appendix 1: Amazon Web Services (AWS) security updates. For a complete list of compliance reports as well as certifications and third-party attestations, see Amazon Web Services. (2014). AWS Risk and Compliance Whitepaper. 26 Incidents related to Amazon S3 Configurations This account of events attempts to present the perspective of security has to be from all involved parties. When transferring services to the Cloud, there is a significant transference of risk, but this transfer is not absolute and complete. The Customer(s) must remain vigilant to the portion of responsibility it controls respect to security. In many cases this means the overview of SLAs and ensuring that services are correctly configured to perform as expected according to user or groups permissions to data privacy assurances. Following below there are listed two reports that show configurations issues related to cloud services, one from the customer side and another from the provider.
August 08, 2011 - Amazon S3 security: Exploiting misconfigurations (TechTarget Magazine) Amazon S3 misconfigurations and what companies should to do to ensure Amazon S3 security and avoid inadvertent data exposure. A security researcher, Diji Ninja, had an epiphany when considering how Amazon S3 storage functioned: If each URL was customized with a unique account name, it would be possible to use existing brute force techniques to enumerate the Amazon S3 buckets and possibly access the files. The researcher developed a tool to test this theory using standard wordlists and running them against the Amazon S3 API. The tool can also test whether the Amazon S3 storage bucket has been properly configured for public or private access. Running this tool with a simple word list produces enlightening results that demonstrate both an Amazon S3 oversight and the importance of proper customer configuration. The tool runs through the wordlist by testing access to bucket URLs in succession in this format: 27 http://s3.amazonaws.com/wordlist. Using a wordlist of only 2,700 words, a scan revealed the existence of roughly 15,000 files contained in Amazon buckets, both public and private. Most surprising, even files that exist in buckets and that are marked as private are still listed by name even though they cannot be accessed. Customers may not realize that the names of their files contained in these private buckets are available to anyone with a Web browser and the proper URL to their bucket. Anyone using this services should, at a minimum, consider a generic naming convention to obfuscate the contents of the bucket from public access. Ninjas test produced another surprising result: A large amount of publicly accessible buckets. Customers may not have configured the storage properly for public/private access and inadvertently exposed private data to the Internet. This data may include: pictures stored in the Amazon S3 storage buckets, customer invoices, and sensitive documents containing Social Security numbers and other private data that was not meant to be shared. Amazon S3 customers should create controls to maintain and monitor the permissions set on storage buckets to avoid the risk of an inadvertent breach of confidential data.
March-April, 2013 - Amazon S3 misconfiguration exposes businesses data (Computing Magazine) (CloudPro) (Rapid7 16 ) Amazons Simple Storage Service (S3) users may have misconfigured their accounts leading to the exposure of business data to the public security solution provider Rapid7 has found. The firm discovered 12328 unique buckets, and of those buckets 1951 were public buckets meaning that nearly one in six buckets could be looked at by anyone that is interested.
16 https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets 28 After reviewing the permissions of 12,328 Amazon S3 buckets the Rapid7 team revealed that, of the 1,951 'public' ones there were some 126 billion files exposed in all, around 60 percent of which were images. However, there were also 28,000 PHP source files (including database usernames, passwords and API keys) and 218,000 CSV files (including personal data such as email addresses and telephone numbers). 5 million text files, large numbers of which were marked as private or confidential and contained sensitive personal credentials; details about the organisations concerned and their customers. Getting even more specific on the information that was exposed in these buckets, Rapid7 cites examples such as sales records and accounts from a large car dealership, source code and development tools from a mobile gaming outfit, sales 'battlecards' for a large software vendor and assorted cases of employee personal information across various spreadsheets. The most common exposure was through log backups that were left globally accessible. Rapid7 has since worked with Amazon to disclose this misconfiguration as it recommended its customers to check their bucket settings unless they really want to openly share their files.
29
Third Parties and Other Perspectives As the cloud computing environment continues to grow and evolve, third party service providers will continue to offer products and services that are touted as enhancements to the cloud computing experience. Currently, this dynamic is, in part, represented in the cloud security space by makers of front-end managers, such as cloudberry, for S3 services, and by an open- source distributed web application firewall project called IronBee. Services like the previously mentioned could become viable in the space of major cloud computing vendors, it would become a marker to provide innovative solutions with the cloud as as platform, and represent a competitive driver to push cloud providers toward a higher level of security. Further research ought to be pursued in this subject.
FedRAMP Changes: What is the impact in cloud services? According to several influential IT professionals 17 , the combination of education, experience and the advent of the Federal Risk and Authorization Management Program standards regulations intended to standardize cloud security will increase cloud adoption in government significantly over the next few years 18 . While benefits and security continue to mature, agencies become more comfortable with the culture changes involved in reliance on the cloud for computing resources. Cloud providers have to build trust with their customers, and the currency is information,. 19 While we have no reason to expect major changes in FedRAMP or its administration that would negatively impact the education efforts, trust, or the FedRAMP
17 Brocade and FCW, retrieved from: www. FCW.com/ResearchREportCloudComputing 18 ibid. 19 ibid. 30 framework itself, we remain curious about the potential impact of FedRAMPs recent change in jurisdiction from the General Services Administration to the Office of the Chief Information Officer. The directives from the CIOs office relating to federal cloud computing strategy suggest that this move is simply administrative, and that the overall direction of FedRAMP will remain consistent (Kundra, 2011). Though FedRAMP must constantly evolve to meet the rapidly changing security needs in cloud computing, large changes in the framework at this stage would disrupt the CIOs vision for government computing in the cloud, and likely make the transition of services to the cloud far more difficult.
31
Problems and Issues This study faced two main issues in generating its results. The first and largest of these issues was time. Once our group was formed, and our topic assigned, we began to identify the problem set. We felt that a broad study of security frameworks across the service groups within cloud computing was useful, but narrowed the topic down dramatically in order to be able to provide a substantive deliverable by the end of the course term. The short time frame also impacted our work by forcing removal from our scope verification and validation of information provided by Amazon about the confidentiality of the S3 service, as well as the removal of a testing phase related to Amazon's two-factor authentication offering for its cloud services, including S3. Testing of two-factor authentication was also impacted by the second issue of this study, which is funding. Devices or services that may have impacted the confidentiality of S3 could not be purchased due to lack of funds. Though the devices that Amazon uses for two-factor authentication within the S3 service are relatively inexpensive, many of Amazon's cloud service offerings that is targeted toward larger organizations, such as government agencies, are not. Without access to these services, or models that would serve as adequate substitutes, we were prevented from performing tasks that may have produced significant insight into the security structure and function of Amazon's web services due to the possibility of breaking live Amazon services. Doing so would have violated the bounds of this project.
32
Conclusions and Future Study
This project focuses on a small subset of the security challenges currently facing cloud computing; however, it has the potential to produce large-scale impacts on users of cloud storage services. Simply because the cloud computing space is growing so rapidly, any work that affects the space will impact an enormous number of users. We feel that this project will guide the security posture not only of Amazons S3 service, but also be able to enhance guidelines for the confidentiality of data on cloud storage services across other providers. FedRAMP, and other creators of frameworks relating to the security of cloud computing are making strong progress in a challenging and quickly evolving space. The breadth of frameworks like CSA and FedRAMP, which make them useful to most cloud computing users, also place the real burden of providing useful security to those seeking guidance from these frameworks upon the person or people who are evaluating the cloud use against the guidelines. In the case of FedRAMP provider evaluations, this burden falls to the third party service evaluators. This system provides a security vulnerability because the suite of provider offerings is not evaluated against specific agency or project needs. This responsibility falls to agencies considering the use of cloud services, who are likely not to have expertise in such evaluations. Once again, consulting firms may add value in this space, but their understanding of the needs of the agency is questionable, and gaining that type of understanding would likely be expensive. Consequently, while FedRAMP is a strong framework from which to begin evaluation of cloud service providers against customer needs, we believe that augmenting FedRAMP based on the following suggestions would add greater confidentiality to the framework. 33 All organizations using, or considering the use of, cloud services would likely benefit from the adoption by standards organizations of a data classification system similar to the security clearance system currently used by national security-related agencies in the United States government. These levels would be more extensive than the current FedRAMP low, and FedRAMP medium designations, and would also incorporate higher levels of security controls similar to those found in the DoD cloud security model (DISA, 2014). Classifying data by sensitivity for security and privacy purposes could balance the cost of security with the benefit of that security at these different levels, especially if developed by consensus both inside and outside of the national security apparatus. If cloud security framework systems were augmented with these classifications, selection and utilization of cloud services would likely be much more straightforward and consequently, more likely to be implemented effectively. Moving forward in cloud computing security, it is becoming increasingly important to understand the interaction within the cloud among the various services offered. For example, because we were not able to test Amazon's cryptographic offerings that claim to encrypt data on the service, we recommend that sensitive data be encrypted prior to being uploaded to the cloud; however, this recommendation takes on added challenge when data is stored on the cloud by a SaaS application that also lives in the cloud. In light of recent challenges with government web portals that process highly privacy-sensitive information such as www.healthcare.gov working in support of the Affordable Care Act, it would seem to be unthinkable to implement such a system in a private cloud environment. We suggest that, with the proper implementation of strong controls and monitoring, even a healthcare.gov cloud may be able to share cloud space with other agencies in a relatively secure manner. 34 Because our time working on this project was so short, and because the cloud computing environment is so dynamic, opportunities for future work on this topic abound. Certainly, SaaS and PaaS are fertile ground for study, as are the availability and integrity aspects of the C-I-A triad, since all of these topics were scoped out of this work. Creation or adoption of the information classification system recommended above would also be extremely worthy of investigation. As more users migrate to these services, and as they begin to store more sensitive information within the cloud, it is imperative that the confidentiality of their data is assured. If we consider applications where critical health or genetic information is stored using the cloud, or where troops in the field use a similar type of service to communicate critical information to commanders, the impact of data confidentiality becomes clear. Though we will not be able to solve the majority of challenges relating to the confidentiality of data in the cloud environment over the course of a single semester, we feel that this project will make a real and lasting contribution to the state-of-the-art in this area, and be able to be built upon by future class research. Ultimately, we hope to make cloud storage more secure for millions of users worldwide.
35
References Amazon Web Services. (2014). Amazon Web Services: Risk and Compliance April 2014. Retrieved April 10, 2014 from: http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf. Astrova, I., Grivas, S. G., Schaaf, M., Koschel, A., Bernhardt, J., Kellermeier, M. D. Herr, M. (2012). Security of a Public Cloud. 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 564569. doi:10.1109/IMIS.2012.78 Behl, A., & Behl, K. (2012). An Analysis of Cloud Computing Security Issues, 109114. Chiu, D., & Agrawal, G. (2010). Evaluating caching and storage options on the Amazon Web Services Cloud. 2010 11th IEEE/ACM International Conference on Grid Computing, 17 24. doi:10.1109/GRID.2010.5697949 Chow, R., Jakobsson, M., Masuoka, R., Molina, J., Niu, Y., Shi, E., & Song, Z. (2010). Authentication in the Clouds: A Framework and its, 16. Cloud Security Alliance. (2013). SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN CLOUD, 0176. Garfinkel, S. (2007). Commodity Grid Computing with Amazons S3 and EC2. Gurkok, C. (2013). Securing Cloud Computing Systems. Computer and Information Security Handbook 2e (pp. 97124). Elsevier Inc. doi:10.1016/B978-0-12-394397-2.00006-4 IronBee Open Source Web Application Firewall. (2013). Kshetri, N. (2013). Privacy and security issues in cloud computing: The role of institutions and institutional evolution. Telecommunications Policy, 37(4-5), 372386. doi:10.1016/j.telpol.2012.04.011 36 Kundra, V. (2011). Federal Cloud Computing Strategy. Ma, X. (2012). Security Concerns in Cloud Computing. 2012 Fourth International Conference on Computational and Information Sciences, 10691072. doi:10.1109/ICCIS.2012.274 Marinescu, D. (2013). Cloud Computing Theory and Practice: Cloud Security (Chapter 9), 273 300. doi:10.1016/B978-0-12-404627-6.00009-9 Mouratidis, H., Islam, S., Kalloniatis, C., & Gritzalis, S. (2013). A framework to support selection of cloud providers based on security and privacy requirements. Journal of Systems and Software, 86(9), 22762293. doi:10.1016/j.jss.2013.03.011 Nayak, S. K., Mohapatra, S., & Majhi, B. (2012). An Improved Mutual Authentication Framework for Cloud Computing User message, 52(5), 3641. Shraer, A., Cachin, C., & Cidon, A. (2010). Venus: Verification for untrusted cloud storage. Workshop on Cloud , 1929. Retrieved from http://dl.acm.org/citation.cfm?id=1866841 Tajadod, G., Batten, L., & Govinda, K. (2012). Microsoft and Amazon: A comparison of approaches to cloud security, 539544. Yang, K., & Jia, X. (2014). Security for Cloud Storage Systems. Springer. Yu, Y., Niu, L., Yang, G., Mu, Y., & Susilo, W. (2014). On the security of auditing mechanisms for secure cloud storage. Future Generation Computer Systems, 30, 127132. doi:10.1016/j.future.2013.05.005 United States Defense Information Systems Agency. (2014). DoD Enterprise Cloud Service Broker.
37 APPENDICES
APPENDIX 1: Amazon Web Services (AWS) security updates Some of the latest security improvements to Amazon Web Services (AWS) for 2014 are listed below in order to provide a documented overview of advancements respect providing a more secure cloud services.
April 21, 2014 - AWS accounts access keys AWS will remove the ability to retrieve existing secret access keys for your AWS (root) account. Secret access keys are, as the name implies, secrets, like your password. Just as AWS doesnt allow you to retrieve your password if you forget it, you will no longer be able to retrieve the secret access keys for your root account. This is (and always has been) the case with secret access keys for IAM users.
April 2, 2014 - Update to AWS Sign-In The sign-in experience for IAM users accessing AWS websites such as the AWS Management Console, Support, or Forums. The new sign-in experience continues to provide the same functionality as the previous one, but provides a more consistent experience for IAM users when signing in to AWS account whether it is on a PC, tablet, or mobile phone.
April 1, 2014 - RedShift receives FedRAMP Authority to Operate (ATO) AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP assessment and authorization process and has been added to our list of services covered under 38 our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S. Department of Health and Human Services (HHS). This is the first new service we've added to our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May 2013. With the addition of Redshift we now have six FedRAMP covered services in our US East/West FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift. The US East/West FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region. Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools. It is optimized for datasets ranging from a few hundred gigabytes to a petabyte or more.
March 26, 2014 - AWS Secures DoD Provisional Authorization AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model's impact levels 1-2 for all four of AWS's Infrastructure Regions in the U.S., including AWS GovCloud (US). With this distinction, AWS has shown it can meet the DoDs stringent security and compliance requirements; and as a result, even more DoD agencies can now use AWSs secure, compliant infrastructure. Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD. The Defense Information Systems Agency (DISA) assessed amazon compliance with additional security controls and granted the authorization which will reduce the time necessary for DoD agencies to evaluate and authorize the use of the AWS Cloud.
39 March 18, 2014 - Use AWS CloudFormation to configure Web Identity Federation Web identity federation in AWS STS enables you to create apps where users can sign in using a web-based identity provider like Login with Amazon, Facebook, or Google. Your app can then trade identity information from the provider for temporary security credentials that the app can use to access AWS. The AWS mobile development team created an S3PersonalFileStore sample app for iOS and Android that shows you how to use web identity federation to let users store information in individual S3 folders.
March 5, 2014 - High Availability IAM Design Patterns AWS Identity and Access Management (IAM) team, provides a tutorial on how to enable resiliency against authentication and authorization failures in an application deployed on Amazon EC2 using a high availability design pattern based on IAM roles.
February 27, 2014 - How do I protect cross-account access using MFA? AWS announced support for adding multi-factor authentication (MFA) for cross-account access. This practice will demonstrate how to create policies that enforce MFA when IAM users from one AWS account make programmatic requests for resources in a different account. Many might maintain multiple AWS accounts, Amazon is frequently asked how to simplify access management across those accounts. IAM roles provide a secure and controllable mechanism to enable cross-account access. Roles allow you to accomplish cross-account access without any credential sharing and without the need to create duplicate IAM users. With this announcement, you can add another layer of protection for cross-account access by requiring the users to authenticate using an MFA device before assuming a role. 40
February 17, 2014 - Whitepaper: Security at Scale: Logging in AWS Security at Scale: Logging in AWS whitepaper is designed to illustrate how AWS CloudTrail can help Amazon customers to meet compliance and security requirements through the logging of API calls. The API call history can be used to track changes to resources, perform security analysis, operational troubleshooting and as an aid in meeting compliance requirements. This whitepaper is primarily focused on the functionality of AWS CloudTrail and describes how to: Control access to log files Obtain alerts on log file creation and misconfiguration Manage changes to AWS resources and log files Manage storage of log files Generate customized reporting of log data The paper also relates these features to major compliance program requirements related to logging (e.g. ISO 27001:2005, PCI DSS v2.0, FedRAMP, etc.) and provides a robust compliance program index in the appendix for your reference.
January 15, 2014 - Tracking Federated User Access to Amazon S3 and Best Practices for Protecting Log Data Auditing by using logs is an important capability of any cloud platform. There are several third party solution providers that provide auditing and analysis using AWS logs. Last November AWS announced its own logging and analysis service, called AWS CloudTrail. While logging is important, understanding how to interpret logs and alerts is crucial. In this blog post, Aaron Wilson, an AWS Professional Services Consultant, explains in detail how to interpret S3 logs within a federated access control context. 41
January 1, 2014 - Amazon Retrospective view of 2013 IAM: We posted a mixture of prescriptive guidance and detailed explanations about released Identity and Access Management features and best practices geared towards practitioners. Where's my secret access key? A safer way to distribute AWS credentials to EC2 IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3 Resources) Guidelines for when to use Accounts, Users, and Groups How to rotate access keys for IAM users Improve the security of your AWS account in less than 5 minutes Securing access to AWS using MFA Part I Securing access to AWS using MFA Part 2 Securing access to AWS using MFA Part 3 Policies and Permissions: IAM policies and permissions are powerful tools for authorization. Therefore, we focused a number of articles to help you fully realize the potential of IAM. Generating IAM Policies in Code Writing IAM Policies: How to grant access to an Amazon S3 bucket IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3 Resources) Resource-level Permissions for EC2 Controlling Management Access on Specific Instances Announcement: Resource Permissions for additional EC2 API actions Amazon EC2 Resource-Level Permissions for RunInstances Announcing New IAM Policy Simulator A primer on RDS resource-level permissions Announcing resource-level permissions for AWS OpsWorks Identity Federation: AWS launched three identity federation features and also made several smaller announcements 42 Delegating API Access to AWS Services Using IAM Roles Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML 2.0 New AWS web identity federation supports Amazon.com, Facebook, and Google identities Understanding the API options for securely delegating access to your AWS account AWS CloudFormation now supports federated users and temporary security credentials New playground app to explore web identity federation with Amazon, Facebook, and Google Encryption: Encrypting data in Amazon S3 AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series) Compliance: Auditing Security Checklist for AWS Now Available 2013 PCI Compliance Package available now New Whitepaper: AWS Cloud Security Best Practices AWS Achieves First FedRAMP(SM) Agency ATOs Other: Several important topics related to AWS Security were partner related and the other two were references to other security related material published and distributed in different venues. Controlling network access to EC2 instances using a bastion server Recap of re:Invent Sessions Credentials Best Practices on the AWS Java Developers Blog CloudBerry Active Directory Bridge for Authenticating non-AWS AD Users to S3 Analyzing OS-Related Security Events on EC2 with SplunkStorm
43 APPENDIX 2: Consolidated Confidentiality Security Controls Control Domain CCM V3.0 Control ID Application & Interface Security - Data Security / Integrity AIS-04 Audit Assurance & Compliance - Information System Regulatory Mapping AAC-03 Business Continuity Management & Operational Resilience - Policy BCR-11 Change Control & Configuration Management - Outsourced Development CCC-02 Change Control & Configuration Management - Quality Testing CCC-03 Data Security & Information Lifecycle Managment - Classification DSI-01 Data Security & Information Lifecycle Management - Information Leakage DSI-05 Data Security & Information Lifecycle Management - Non-Production Data DSI-06 Data Security & Information Lifecycle Management - Secure Disposal DSI-08 Datacenter Security - Asset Management DCS-01 Governance and Risk Management - Data Focus Risk Assessments GRM-02 Governance and Risk Management - Management Oversight GRM-03 Governance and Risk Management - Management Program GRM-04 Governance and Risk Management - Risk Assessments GRM-10 Human Resources - Background Screening HRS-02 Human Resources - Industry Knowledge / Benchmarking HRS-05 Human Resources - Non-Disclosure Agreements HRS-07 Human Resources - Roles / Responsibilities HRS-08 Human Resources - User Responsibility HRS-11 Identity & Access Management - Trusted Sources IAM-08 Security Incident Management, E-Discovery & Cloud Forensics - Contact / Authority Maintenance SEF-01 Security Incident Management, E-Discovery & Cloud Forensics - Incident Management SEF-02 Security Incident Management, E-Discovery & Cloud Forensics - Incident Reporting SEF-03 Security Incident Management, E-Discovery & Cloud Forensics - Incident Response Legal Preparation SEF-04 Security Incident Management, E-Discovery & Cloud Forensics - Incident Response Metrics SEF-05 Supply Chain Management, Transparency and Accountability - Network / Infrastructure Services STA-03 Supply Chain Management, Transparency and Accountability - Supply Chain Agreements STA-05 Supply Chain Management, Transparency and Accountability - Third Party Audits STA-09
44 Consolidated Confidentiality Security Controls - DETAILED Control Domain CCM V3.0 Control ID Control Specification Application & Interface Security Data Security / Integrity AIS-04 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure protection of confidentiality, integrity, and availability of data exchanged between one or more system interfaces, jurisdictions, or external business relationships to prevent improper disclosure, alteration, or destruction. These policies, procedures, processes, and measures shall be in accordance with known legal, statutory and regulatory compliance obligations. Audit Assurance & Compliance Information System Regulatory Mapping AAC-03 An inventory of the organization's external legal, statutory, and regulatory compliance obligations associated with (and mapped to) any scope and geographically-relevant presence of data or organizationally-owned or managed (physical or virtual) infrastructure network and systems components shall be maintained and regularly updated as per the business need (e.g., change in impacted-scope and/or a change in any compliance obligation). Business Continuity Management & Operational Resilience Policy BCR-11 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training. Change Control & Configuration Management Outsourced Development CCC-02 The use of an outsourced workforce or external business relationship for designing, developing, testing, and/or deploying the organization's own source code shall require higher levels of assurance of trustworthy applications (e.g., management supervision, established and independently certified adherence information security baselines, mandated information security training for outsourced workforce, and ongoing security code reviews). Change Control & Configuration Management Quality Testing CCC-03 A program for the systematic monitoring and evaluation to ensure that standards of quality and security baselines are being met shall be established for all software developed by the organization. Quality evaluation and acceptance criteria for information systems, upgrades, and new versions shall be established and documented, and tests of the system(s) shall be carried out both during development and prior to acceptance to maintain security. Management shall have a clear oversight capacity in the quality testing process, with the final product being certified as "fit for purpose" (the product should be suitable for the intended purpose) and "right first time" (mistakes should be eliminated) prior to release. It is also necessary to incorporate technical security reviews (i.e., vulnerability assessments and/or penetration testing) to remediate vulnerabilities that pose an unreasonable business risk or risk to customers (tenants) prior to release. Data Security & Information Lifecycle Managment Classification DSI-01 Data and objects containing data shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization, third-party obligation for retention, and prevention of unauthorized disclosure or misuse. Data Security & Information Lifecycle Management Information Leakage DSI-05 Security mechanisms shall be implemented to prevent data leakage. 45 Data Security & Information Lifecycle Management Non-Production Data DSI-06 Production data shall not be replicated or used in non-production environments. Data Security & Information Lifecycle ManagementSecure Disposal DSI-08 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means. Datacenter Security Asset Management DCS-01 Assets must be classified in terms of business criticality in support of dynamic and distributed physical and virtual computing environments, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly (or in real-time), and assigned ownership supported by defined roles and responsibilities, including those assets used, owned, or managed by customers (tenants). Governance and Risk Management Data Focus Risk Assessments GRM-02 Risk assessments associated with data governance requirements shall be conducted at planned intervals and shall consider the following: Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure Compliance with defined retention periods and end-of-life disposal requirements Data classification and protection from unauthorized use, access, loss, destruction, and falsification Governance and Risk Management Management Oversight GRM-03 Managers are responsible for maintaining awareness of, and complying with, security policies, procedures and standards that are relevant to their area of responsibility. Governance and Risk Management Management Program GRM-04 An Information Security Management Program (ISMP) shall be developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program shall include, but not be limited to, the following areas insofar as they relate to the characteristics of the business: Risk management Security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development, and maintenance Governance and Risk Management Risk Assessments GRM-10 Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually or at planned intervals, to determine the likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk shall be determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance). 46 Human Resources Background Screening HRS-02 Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties shall be subject to background verification proportional to the data classification to be accessed, the business requirements, and acceptable risk. Human Resources Industry Knowledge / Benchmarking HRS-05 Industry security knowledge and benchmarking through networking, specialist security forums, and professional associations shall be maintained. Human Resources Non-Disclosure Agreements HRS-07 Requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details shall be identified, documented, and reviewed at planned intervals. Human Resources Roles / Responsibilities HRS-08 Roles and responsibilities of contractors, employees, and third-party users shall be documented as they relate to information assets and security. Human Resources User Responsibility HRS-11 All personnel shall be made aware of their roles and responsibilities for: Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. Maintaining a safe and secure working environment Identity & Access Management Trusted Sources IAM-08 Policies and procedures are established for permissible storage and access of identities used for authentication to ensure identities are only accessible based on rules of least privilege and replication limitation only to users explicitly defined as business necessary. Security Incident Management, E- Discovery & Cloud Forensics Contact / Authority Maintenance SEF-01 Points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities shall be maintained and regularly updated (e.g., change in impacted-scope and/or a change in any compliance obligation) to ensure direct compliance liaisons have been established and to be prepared for a forensic investigation requiring rapid engagement with law enforcement. Security Incident Management, E- Discovery & Cloud Forensics Incident Management SEF-02 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures. Security Incident Management, E- Discovery & Cloud Forensics Incident Reporting SEF-03 Workforce personnel and external business relationships shall be informed of their responsibility and, if required, shall consent and/or contractually agree to report all information security events in a timely manner. Information security events shall be reported through predefined communications channels in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations. Security Incident Management, E- Discovery & Cloud Forensics Incident Response Legal Preparation SEF-04 In the event a follow-up action concerning a person or organization after an information security incident requires legal action, proper forensic procedures, including chain of custody, shall be required for the preservation and presentation of evidence to support potential legal action subject to the relevant jurisdiction. Upon notification, customers (tenants) and/or other external business relationships impacted by a security breach shall be given the opportunity to participate as is legally permissible in the forensic investigation. 47 Security Incident Management, E- Discovery & Cloud Forensics Incident Response Metrics SEF-05 Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents. Supply Chain Management, Transparency and Accountability Network / Infrastructure Services STA-03 Business-critical or customer (tenant) impacting (physical and virtual) application and system-system interface (API) designs and configurations, and infrastructure network and systems components, shall be designed, developed, and deployed in accordance with mutually agreed-upon service and capacity-level expectations, as well as IT governance and service management policies and procedures. Supply Chain Management, Transparency and Accountability Supply Chain Agreements STA-05 Supply chain agreements (e.g., SLAs) between providers and customers (tenants) shall incorporate at least the following mutually-agreed upon provisions and/or terms: Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations) Information security requirements, provider and customer (tenant) primary points of contact for the duration of the business relationship, and references to detailed supporting and relevant business processes and technical measures implemented to enable effectively governance, risk management, assurance and legal, statutory and regulatory compliance obligations by all impacted business relationships Notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts Timely notification of a security incident (or confirmed breach) to all customers (tenants) and other business relationships impacted (i.e., up- and down-stream impacted supply chain) Assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed Expiration of the business relationship and treatment of customer (tenant) data impacted Customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence Supply Chain Management, Transparency and Accountability Third Party Audits STA-09 Third-party service providers shall demonstrate compliance with information security and confidentiality, service definitions, and delivery level agreements included in third-party contracts. Third-party reports, records, and services shall undergo audit and review at planned intervals to govern and maintain compliance with the service delivery agreements.
(Advances in Educational Technologies and Instructional Design) Lee Chao-Handbook of Research On Cloud-Based STEM Education For Improved Learning Outcomes-IGI Global (2016)
ChatGPT Side Hustles 2024 - Unlock the Digital Goldmine and Get AI Working for You Fast with More Than 85 Side Hustle Ideas to Boost Passive Income, Create New Cash Flow, and Get Ahead of the Curve
Microsoft Excel Guide for Success: Transform Your Work with Microsoft Excel, Unleash Formulas, Functions, and Charts to Optimize Tasks and Surpass Expectations [II EDITION]
ChatGPT Millionaire 2024 - Bot-Driven Side Hustles, Prompt Engineering Shortcut Secrets, and Automated Income Streams that Print Money While You Sleep. The Ultimate Beginner’s Guide for AI Business
Excel 2023 for Beginners: A Complete Quick Reference Guide from Beginner to Advanced with Simple Tips and Tricks to Master All Essential Fundamentals, Formulas, Functions, Charts, Tools, & Shortcuts
Microsoft PowerPoint Guide for Success: Learn in a Guided Way to Create, Edit & Format Your Presentations Documents to Visual Explain Your Projects & Surprise Your Bosses And Colleagues | Big Four Consulting Firms Method
Hacking With Kali Linux : A Comprehensive, Step-By-Step Beginner's Guide to Learn Ethical Hacking With Practical Examples to Computer Hacking, Wireless Network, Cybersecurity and Penetration Testing