? Does the provider maintain a documented method that details the impact of a disruption? o What are the RPO (recovery point objective) and RTO (recovery time objective) for services? Detail according to the criticality of the service.
o o o Are information security activities appropriately addressed in the restoration process? What are the lines of communication to end customers in the event of a disruption? Are the roles and responsibilities of teams clearly identified when dealing with a disruption? ? ? ? Has the provider categorised the priority for recovery, and what would be our relative priority (the end customer) to be restored? Note: this may be a category (HIGH/MED/LOW).
What dependencies relevant to the restoration process exist? Include suppliers and outsource partners.
In the event of the primary site being made unavailable, what is the minimum separation for the location of the secondary site? I NCIDENT MANAGEMENT AND RESPONSE Incident management and response is a part of business continuity management.
The goal of this process is to contain the impact of unexpected and potentially disrupting events to an acceptable level for an organization.
To evaluate the capacity of an organization to minimize the probability of occurrence or reduce the negative impact of an information security incident, the following questions should be asked to a cloud provider: ? Does the provider have a formal process in place for detecting, identifying, analyzing and responding to incidents? ? Is this process rehearsed to check that incident handling processes are effective? Does the provider also ensure, during the rehearsal, that everyone within the cloud provider’s support organisation is aware of the processes and of their roles during incident handling (both during the incident and post analysis)? ? How are the detection capabilities structured? o How can the cloud customer report anomalies and security events to the provider? o What facilities does the provider allow for customer-selected third party RTSM services to intervene in their systems (where appropriate) or to co-ordinate incident response capabilities with the cloud provider? Is there a real time security monitoring (RTSM) service in place? Is the service outsourced? What kind of parameters and services are monitored? Do you provide (upon request) a periodical report on security incidents (e.g.,.
according to the ITIL definition)? o o 78 Cloud Computing Benefits, risks and recommendations for information security o o For how long are the security logs retained? Are those logs securely stored? Who has access to the logs? Is it possible for the customer to build a HIPS/HIDS in the virtual machine image? Is it possible to integrate the information collected by the intrusion detection and prevention systems of the customer into the RTSM service of the cloud provider or that of a third party? ? ? ? ? ? ? How are severity levels defined? How are escalation procedures defined? When (if ever) is the cloud customer involved? How are incidents documented and evidence collected? Besides authentication, accounting and audit, what other controls are in place to prevent (or minimize the impact of) malicious activities by insiders? Does the provider offer the customer (upon request) a forensic image of the virtual machine? Does the provider collect incident metrics and indicators (ie,.
number of detected or reported incidents per months, number of incidents caused by the cloud provider’s subcontractors and the total number of such incidents, average time to respond and to resolve, etc)?).
o Which of these does the provider make publicly available (NB not all incident reporting data can be made public since it may compromise customer confidentiality and reveal security critical information)??) How often does the provider test disaster recovery and business continuity plans? Does the provider collect data on the levels of satisfaction with SLAs? Does the provider carry out help desk tests? For example: o Impersonation tests (is the person at the end of the phone requesting a password reset, really who they say they are?) or so called ‘social engineering’ attacks.
Does the provider carry out penetration testing? How often? What are actually tested during the penetration test – for example, do they test the security isolation of each image to ensure it is not possible to ‘break out’ of one image into another and also gain access to the host infrastructure?.
The tests should also check to see if it is possible to gain access, via the virtual image, to the cloud providers management and support systems (e.g., example the provisioning and admin access control systems).
Does the provider carry out vulnerability testing? How often? What is the process for rectifying vulnerabilities (hot fixes, re-configuration, uplift to later versions of software, etc)? — 2 The ePrivacy directive, as revised in 2009 (http://register.consilium.europa.eu/pdf/en/09/st03/st03674.en09.pdf ), requires Member States to introduce a security breach notification scheme.
Note that this scheme will be applicable to electronic communication networks and electronic communication services, not to information society services such as cloud computing services 84 Cloud Computing Benefits, risks and recommendations for information security BUILDING TRUST IN THE CLOUD ? Certification processes and standards for clouds: more generally, cloud computing security lifecycle standards that can be certified against cloud specific provisions for governance standards – COBIT (52), ITIL (53), etc; ? Metrics for security in cloud computing; ? Return on security investments (ROSI): the measures cloud computing can enable to improve the accuracy of ROI for security; ? Effects of different forms of reporting breaches on security; ? Techniques for increasing transparency while maintaining appropriate levels of security: o Tagging, e.g., location tagging, data type tagging, policy tagging o Privacy preserving data provenance systems, e.g., tracing data end-to-end through systems; ? End-to-end data confidentiality in the cloud and beyond: o Encrypted search (long term) o Encrypted processing schemes (long term) o Encryption and confidentiality tools for social applications in the cloud o Trusted computing in clouds, e.g., trusted boot sequences for virtual machine stacks; ? Higher assurance clouds, virtual private clouds, etc; ? Extending cloud-based trust to client-based data and applications.
DATA PROTECTION IN LARGE-SCALE CROSS-ORGANIZATIONAL SYSTEMS The following areas require further research with respect to cloud computing: ? Data destruction and lifecycle management ? Integrity verification – of backups and archives in the cloud and their version management ? Forensics and evidence gathering mechanisms ? Incident handling – monitoring and traceability ? Dispute resolution and rules of evidence ? International differences in relevant regulations, including data protection and privacy o Legal means to facilitate the smooth functioning of multi-national cloud infrastructures o Automated means to mitigate problems with different jurisdictions.
LARGE-SCALE COMPUTER SYSTEMS ENGINEERING ? ? Security in depth within large-scale distributed computer systems; Security services in the cloud – de-perimiterisation of security technologies and the adaptation of traditional security perimeter control technologies to the cloud, e.g., HSMs, web filters, firewalls, IDSs, etc; Resource isolation mechanisms – data, processing, memory, logs, etc; ? Cloud Computing BENEFITS , RISKS AND RECOMMENDATIONS FOR INFORMATION SECURITY 85 ? ? — BENEFITS , RISKS AND RECOMMENDATIONS FOR INFORMATION SECURITY 93 33.
Andrew Bechere, Alex Stamos, Nathan Wilcox [Online] http://www.slideshare.net/astamos/cloud-computing-security 34.
Wikipedia [Online] http://en.wikipedia.org/wiki/Token_bucket 35.
— [Online] http://en.wikipedia.org/wiki/Fair_queuing 36.
— [Online] http://en.wikipedia.org/wiki/Class-based_queueing 37.
Devera, Martin [Online] http://luxik.cdi.cz/~devik/qos/htb/old/htbtheory.htm 38.
Open Source Xen Community http://xen.org/ [Online] 39.
Common Criteria Recognition Agreement (CCRA) http://www.commoncriteriaportal.org/ [Online] 40.
OWASP [Online] http://www.owasp.org/index.php/OWASP_Top_Ten_Project 41.
— [Online] http://www.owasp.org/index.php/Category:OWASP_Guide_Project 42.
27001:2005, ISO/IEC Information technology — Security techniques — Information security management systems — Requirements 43.
27002:2005, ISO/IEC Information technology — Security techniques — Code of practice for information security management 44.
Group, BSI BS 25999 Business Continuity 45.
NIST Special Publication 800-53, Revision 2 Recommended Security Controls for Federal Information Systems 46.
OWASP [Online] http://www.owasp.org/index.php/Main_Page 47.
SANS Institute [Online] http://www.sans.org/reading_room/whitepapers/securecode/a_security_checklist_for_web_applicati on_design_1389?show=1389.php&cat=securecode 48.
Software Assurance Forum for Excellence in Code (SAFECode) [Online] http://www.safecode.org 49.
IEEE Standards Association [Online] http://standards.ieee.org/getieee802/download/802.1Q2005.pdf 50.
The European Privacy Seal [Online] https://www.european-privacy-seal.eu/ 94 Cloud Computing Benefits, risks and recommendations for information security 51.
EDRI – European Digital Rights [Online] http://www.edri.org/edri-gram/number7.2/internationalstandards-data-protection 52.
ISACA [Online] http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders1/COBIT6/COBIT_Publications /COBIT_Products.htm 53.
Office of Government Commerce (OGC) [Online] http://www.itil-officialsite.com/home/home.asp 54.
Vaquero, Luis Rodero-Merino, Juan Caceres, Maik Lindner A Break in the Clouds: Towards a Cloud Definition 55.
Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing, April 2009, http://www.cloudsecurityalliance.org/guidance/csaguide.pdf 56.
Jericho Forum, Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration, April 2009, http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf 57.
Gartner, Assessing the Security Risks of Cloud Computing, June 2008, http://www.gartner.com/DisplayDocument?id=685308 58.
Data Liberation Front, Google, http://www.dataliberation.org/ Cloud Computing BENEFITS , RISKS AND RECOMMENDATIONS FOR INFORMATION SECURITY 95 ANNEX I – CLOUD COMPUTING – KEY LEGAL ISSUES I.
Five key legal issues have been identified which are common across all the scenarios: 1.
data protection a.
availability and integrity b.
minimum standard or guarantee 2.
intellectual property 4.
professional negligence 5.
outsourcing services and changes in control.
Most of the issues identified in this discussion are not unique to cloud computing.
Indeed, customers of cloud computing services may find it helpful to use the legal analysis applied to other Internet services as a foundation upon which to base their legal analysis of the security risks posed by cloud computing.
To avoid repeating prior analysis, we have focused on those aspects of cloud computing security that we believe present new legal challenges or material changes from the analysis applied to prior Internet technologies.
We believe that potential customers of cloud services will be quite concerned about issues related to data protection.
Accordingly, in this legal analysis we have focused on these issues in more detail than on others.
While this document sets out five key legal issues, a theme that is consistent across all scenarios and in all of the discussions about cloud computing is the need for cloud computing providers to have highly detailed and product-specific contracts and other agreements and disclosures, and for customers to carefully review these contracts.
or related documentation Both parties should also pay close attention to service level agreements (SLAs), since consideration of many legal issues associated with cloud computing are resolved in, or at least mitigated by, SLAs.
Before getting into legal details it is worth noting that the customers of cloud providers may vary in type (from private to public entities) and size (from SMEs to large companies) and, thus, in the extent to which they are in a position to negotiate.
This is very relevant from the legal point of view, because the relationship between the cloud providers and their customers will be mostly regulated by means of contracts.
Because of the lack of specific regulations, reciprocal duties and obligations will be set forth in either standard general terms and II.
— Development of private cloud partner for DR and BC Partner Executive identification plan , Project definition…
requirement s definition…
Private cloud goes live.
*Please note that those applications or services were outsourced to a cloud computing provider without an internal physical to virtual migration being performed.
Existing security controls Provider #1 (SaaS) and Provider #2 (PaaS) claim to implement a set of standard security controls which include: ? firewall ? IDS/IPS (Network and Host based) ? system hardening and in-house penetration testing ? ITIL compliant incident and patch management.
No further details are given.
The selection of the providers was done by Clean Future on the basis of the good reputations of Provider #1 and Provider #2.
Provider #3 (IaaS) offers pre-configured VM instances in various standard configurations.
They do not however offer pre-hardened instances by default, ie, the customer is entirely responsible for all security measures on VM instances including review of all default settings.
116 Cloud Computing Benefits, risks and recommendations for information security Provider #3 specifies background checks on all employees (with some limitations according to local laws), physical access control based on biometric smart-cards and need-to-know based data access control policies.
All connections (for IaaS, PaaS, SaaS, IDM, etc), EXCEPT those with customers (e.g., using the configuration application), are encrypted (either via VPN or SSH).
All providers are ISO 27001 compliant but none of them declare the exact scope of the certification.
The SLA with each provider includes a breach notification clause.
All the providers offer premium (paid) security reporting features.
Such paid reports may include: failed breaches (of the customer’s assets), attacks against specific targets (per company user, per specific application, per specific physical machine, ratio of internal attacks compared to external attacks, etc), trends and statistics.
The reporting threshold for failed attempts and the scale for incidents severity are customized according to the customer’s specific needs.
Cloud Computing BENEFITS , RISKS AND RECOMMENDATIONS FOR INFORMATION SECURITY 117 Data flow Federated ID Management Clean Future Cloud Provider 3 IaaS Cloud Provider 2 PaaS Cloud Provider 1 SaaS Customers Contractors Partners — ? All suppliers must demonstrate compliance with ISO27001.
They are NOT required to be accredited but compliance is verified through yearly submission of their information security management system and associated policy documents.
Additional certifications and accreditations assist EuropeanHealth organisations in choosing appropriate providers, e.g., ISO20000 (Service Management), ISO9001 (Quality), etc, but these are not required.
In terms of audit and compliance to regulations or the nominated standards of the service provider, cloud computing service providers must ensure that they are able and willing to allow the right to audit their policies, processes, systems and services.
Cloud Computing BENEFITS , RISKS AND RECOMMENDATIONS FOR INFORMATION SECURITY 123 Governance A basic set of security controls is provided by Gov-Cloud and additional controls are optionally provided by management services or in-house management for each user of Gov-Cloud (such as EuropeanHealth).
Governance standards, such as ITIL, are used.
EuropeanHealth cannot mandate internal departments to adopt specific technologies, but only recommend technologies to be adopted.
EuropeanHealth departments remain free to implement the technology that best meets their needs.
EuropeanHealth can request participating organisations to provide documentation showing that their recommendations have been followed, e.g., proof that all data on laptops is encrypted.
For external suppliers, there are specific requirements for organisations to connect to the EuropeanHealth network and remain connected.
Access control and audit trails EuropeanHealth provides Single Sign On (SSO) for their applications and services using smart cards as authentication tokens.
EuropeanHealth organisations may use many other forms of authentication or multiple forms for different purposes (ie, single factor, two factors, biometric and so forth).
Gov-Cloud third party suppliers interface with EuropeanHealth PKI using smart cards.
There are absolute requirements in terms of audit to ensure that it is clear who has accessed what personal data or sensitive personal data and for what purposes.
Service Level Agreements SLAs would need to be contractual and embedded within any cloud service offering to EuropeanHealth organisations.
The key will likely be 24/7 availability (but dependent on the type of service, application or data being hosted).
? A concern for EuropeanHealth organisations will be the potential loss of control that they will feel (e.g., of infrastructure, the services, the data and provisioning, etc).
The ability of cloud service providers to prove that there is ‘no’ loss of control will be a key consideration for take up.
Read more about ITIL: