Professional Documents
Culture Documents
To cite this article: Klaus Julisch & Michael Hall (2010) Security and Control in the Cloud, Information Security Journal: A
Global Perspective, 19:6, 299-309, DOI: 10.1080/19393555.2010.514654
To link to this article: http://dx.doi.org/10.1080/19393555.2010.514654
1. INTRODUCTION TO CLOUD
COMPUTING
Cloud computing is a new formula of delivering computing resources, not a
new technology. Specifically, cloud computing provides computing resources
as on-demand services that are hosted remotely, accessed over the Internet,
and generally billed on a per-use basis (Chong & Carraro, 2006; Catteddu
& Hogben, 2009; Datamonitor, 2009). There are three types of computing
resources that have been provided in the cloud:
Address correspondence to
Klaus Julisch, IBM Research GmbH,
Sumerstrasse 4, 8803 Rschlikon,
Switzerland. E-mail: kju@zurich.ibm.com
their clients. This article focuses on security in public clouds, and the term cloud is henceforth used
synonymously with public cloud.
In using (public) cloud services, a Cloud Client (CC)
places select organizational assets in the custody of a
Cloud Provider (CP). In doing so, the CC cedes control over these assets to the CP, and yet the CC retains
accountability for the security and regulatory compliance of these assets. This creates risks, which have
made some enterprises hesitant to sign up for cloud
services (Catteddu & Hogben, 2009). CPs understand
this problem and have responded by offering SAS-70,
ISO-27001, or other security certifications to proof
the quality of their risk-mitigating controls (Salesforce,
2008; Schadler, 2009; Amazon, 2010). Further, some
CPs such as Intacct.com or Google offer Service Level
Agreements to facilitate a risk transfer (Intacct, 2010;
Google, 2010A; Amazon, 2008). All of these schemes
are important, but taken in isolation, they have important shortcomings:
1. Formal Registrar Security Certification audits have
the problem of being infrequent (typically every
three years). The CC therefore receives infrequent
snap shots of the CPs control environment and
has to trust that everything is OK between certifications. This setup is increasingly unacceptable
to many CCs who, at any moment, may be held
accountable by their stakeholders for the security
and compliance of their own information systems.
2. It is important to understand that SAS 70 certification is not a stamp of approval (even though it is
sometimes marketed that way). This is because SAS
70 is a framework for conducting audits. It does not
certify any specific controls or control objectives.
Rather, each CP defines for itself the controls and
control objectives that it wants to be certified for
(AICPA, 1992). These controls and control objectives are documented in the SAS 70 audit report.
Prospective clients should always consult this report
(rather than relying on the SAS 70 compliant
label) to determine if the controls of a CP meet their
requirements (Brunette & Mogull, 2009). SSAE 16
and ISAE 3402, the successor standards of SAS 70,
improve on these issues by requiring the CP to more
fully disclose its system and control environment
(Thompson, Griffin, & Bialick, 2010).
3. The SLAs offered by CPs tend to be conservative in the sense that they offer only small
301
that ISMSs follow the Plan-Do-Check-Act (PDCA) process, or Deming Cycle. The PDCA cycle acknowledges
that information security is not a product that once
installed, makes a system secure. Rather, information security is achieved by a process of continuous
improvement and adjustment to the inevitably changing threats, technologies, and business processes. The
four steps of the PDCA process are as follows:
The Plan step defines the scope of what is to
be protected; it further performs a risk assessment
and defines the security policies and the control
objectives that are to be achieved.
The Do step implements and operates controls to
achieve the stated control objectives and to comply
with the stated security policies.
The Check step monitors and assesses the achieved
information security relative to the stated control
objectives and security policies.
The Act step derives improvements and new security requirements from the results of the check step.
This provides the input for the next iteration of the
PDCA cycle.
In a conventional ISMS, the IT assets (i.e., hardware,
infrastructure, software, and data) and the security management of these assets are owned and controlled by the
same organization. This changes in cloud computing.
and controls an asset is also responsible for providing suitable security controls to protect it. Figure 1
uses grey shading to show who manages and controls
a given asset. Consequently, we obtain the following
(still preliminary) responsibilities:
In all three cloud models, the CP manages, and controls the infrastructure, which comprises the servers,
networks, electricity, human resources, and site services. As such, the CP is responsible to implement
and operate suitable infrastructure controls such as
employee training, physical site security, network
firewalls, and others. Infrastructure controls are of
fundamental importance. For example, if physical
access control is weak and people can steal entire
servers then it does not matter that network access to
these servers is protected by firewalls and encryption
(Archer et al., 2010).
In IaaS, the CC manages and controls all software
that runs on the CPs infrastructure. As such, the
CC is responsible for all software security controls,
including software patching, anti-virus protection,
application access control, user identity management, and others. If, for example, an attacker successfully guessed an application password, then this
reveals a control failure by the CC to properly
protect its assets.
In PaaS, the CC manages and controls the application software, while the CP manages and controls
the operating system, middleware, and infrastructure.
Accordingly, the CC is responsible for all application controls, while the CP is responsible for the IT
general controls (Bayuk, 2004).
In SaaS, the CP manages and controls all layers
of the software stack and is accordingly responsible
for their security. In other words SaaS providers are
responsible for implementing suitable security controls in their infrastructure, operating systems and
middleware, as well as application software. If, for
example, unpatched application software is compromised by attackers then the CP failed to meet its
responsibilities.
This assignment of responsibilities still needs to
be modulated by a second factor, namely the extent
to which the CP allows the CC to configure the
controls it provides. This factor is most easily understood in the case of SaaS: While SaaS providers
303
implement the entire software stack, they do not necessarily configure all of it. Specifically, many SaaS
providers let their CCs configure their own accounts
and password policies. This partially moves the responsibility for these controls back to the CC: The CC
becomes responsible for configuring the appropriate security policy, and the CP remains responsible
for enforcing this policy via its controls. This configuration option is illustrated by the C interface
in Figure 1. In practice, it is quite common for
CPs to provide a configuration interface C because
it allows them to partially delegate responsibility
back to the CC. Examples of configuration interfaces
include:
Amazons Elastic Compute Cloud (EC2) allows
the CC to configure the network firewall that
controls access to CCs resources on EC2 (Amazon,
2009).
Customers of Amazons Simple Storage Service (S3)
can configure the access rights that control who can
access their data on the S3 cloud (Amazon, 2009).
Google Apps offers a SAML-based Single Sign-On,
where the CC authenticates users and then sends
a token to Google Apps to vouch for the users
identities (Google, 2010B).
In summary, the assignment of responsibilities is
more complex in cloud computing because it depends
on the cloud model as well as the extent to which
CCs can configure the controls provided by CPs. This
brings us back to the topic of this article the virtual
ISMS whose purpose we can now define as (a) supporting the CC and the CP in negotiating and defining
their respective responsibilities and (b) enabling the
CC to monitor and audit the effectiveness of the
controls that are under the CPs responsibility.
TABLE 1
Do
Check
Act
5.1. Planning
The first activity in planning is that the CC establishes its control objectives. To do so, the CC identifies
its corporate assets (data or software) and their values. The asset value is the monetary impact that a loss
of availability, confidentiality, or integrity has on the
clients business. From the asset values, the CC can
then determine its protection requirements. These protection requirements are documented in the form of
control objectives as well as specific controls that have
to be implemented. The CC also must define its assurance requirements, that is, the evidence that it requires
to be collected during the Check step to proof that
the control objectives are met. So far, this is no different from the risk-based planning step performed in
conventional ISMSs.
K. Julisch and M. Hall
At this point, the CC must identify the cloud service it wants to procure from CPs. Using the rules of
responsibility derived in section 4, the CC can then
identify the controls and control objective that the CP
is responsible for. The CC can further determine the
assurance information that the CP is responsible for
providing. Taken together, these responsibilities define
the requirements catalog that the CC imposes on the CP.
Using the requirements catalog, the CC can assess
potential CPs with respect to their ability to satisfy
it. This clearly presupposes that CPs disclose their
security controls to determine if they meet the CCs
requirements. Unfortunately, most CPs are not very
open with regards to their security controls (Reeves,
2009B; Archer et al., 2010). Obviously, CPs that keep
their security controls secret destroy the CCs ability
304
305
5.2. Check
At the time of this writing, the state of the art in
monitoring CPs is still immature. As such, the Check
step offers significant potential for CPs to create differentiated value for their clients. CPs who want to do
so must address several challenges. First, CCs want to
monitor their CPs so they can demonstrate their own
compliance, drive continuous improvement in the
Act step, and enforce penalty payments for SLA violations. CPs will find opportunities for improvement
in all three areas, but the most imminent improvement
potential exists in the first two areas. The third area,
that is, SLAs, sill faces many technical challenges that
will take time to overcome.
On the challenges associated with security SLAs: SLA
violations concerning confidentiality or integrity are
difficult to ascertain, and even then, the question arises
of whether the CC or the CP was responsible in the sense
of section 4. Obviously, CPs do not want to pay penalties
for failures that were the CCs fault. Consequently,
thorough forensic investigations of security failures are
required to ascertain responsibility. Will CCs and CPs
agree to participate in such investigations, and what
happens if the forensic results are not conclusive? A
further hurdle is that CPs would assume very large risks
if they were to offer SLAs that compensated CCs for
their losses from potential security incidents. Therefore,
CPs choose to offer SLAs that compensate CCs for
services not provided (e.g., by refunding hours of uptime not delivered). This is a controllable risk to the
CP but hardly covers the true cost to CCs. In summary,
these are difficult challenges and it will take years before
security SLAs become practicable.
With any meaningful risk transfer using SLA being
years away, CPs would be well-advised to support
their clients risk management processes. The simple
truth is that CCs have to manage their risks, and CPs
whose secrecy policies (Reeves, 2009B; Archer et al.,
2010) hinder such risk management will see their customers go elsewhere. CPs consequently must offer
transparency with respect to the controls they implement and the effectiveness of these controls. CPs who
6. STATEMENT OF APPLICABILITY
The Statement of Applicability (SOA) is a specific
requirement of the ISO 27001 and documents which
controls have been chosen by the risk assessment process and which ones have been justifiably excluded.
The controls in a SOA are chosen in order to protect
both, the data assets owned by an organization and
any data assets that are under the custody of that organization. In this section, we take the perspective of a
CP who asks: What controls do I have to implement
in my own infrastructure in order to protect my clients
assets? The answer to this question depends on the
cloud model (IaaS, PaaS, or SaaS) adopted.
Table 2 shows part of the CPs statement of applicability for protecting its clients assets. A complete
SOA would show for each control cited in Annex A
of the ISO 27001 (ISO, 2005A) if and how it has to be
implemented. Table 2 is less detailed and only discusses
control groups rather than individual controls. Also
different from a complete SOA, Table 2 only offers
general guidance on control exclusions because dependent on the specifics of an environment, the CP may
have to implement additional controls.
In general, CPs are best advised to implement
all controls necessary to meet the expectations and
requirements of their most demanding customers. This
recommendation makes sense because the shared delivery platform used by CPs makes it prohibitively expensive to tailor special controls to individual clients.
Therefore, CPs either have to accommodate the security needs of their most demanding customers or risk
losing them.
Control Group
Control A.5.1
Controls A.6.1 & A.6.2
Controls A.7.1 & A.7.2
Responsibility of the CP
A.12.1 Security
Requirements of
Information Security
A.12.2 Correct Processing in
Applications
A.12.3 Cryptographic
Controls
A.12.4 Security of System
Files
A.12.5 Security in
Development & Support
Processes
A.12.6 Technical
Vulnerability
Management
307
TABLE 2
(Continued)
Clause
A.13 Information Security
Incident Management
A.15 Compliance
Control Group
Responsibility of the CP
In IaaS, PaaS, and SaaS, the CP is responsible for incident
management on the infrastructure, platform, and
application level, respectively.
In IaaS, PaaS, and SaaS, this control is the responsibility
of the CP.
In IaaS, PaaS, and SaaS, this is a joint responsibility where
the CC generally identifies the applicable laws and
regulations and the CP implements the controls to
assure compliance with them.
ACKNOWLEDGMENTS
The research leading to these results has received
funding from the European Communitys Seventh
Framework Program (FP7/20072013) under grant
agreement No. FP7-216917.
REFERENCES
AICPA. (1992). Reports on the processing of transactions by service organizations (SAS 70). American Institute of Certified Public Accountants,
Inc.
Amazon. (2008). Amazon EC2 service level agreement. Available from:
http://aws.amazon.com/ec2-sla/
Amazon. (2009). Amazon Web services: Overview of security processes.
Available from: http://aws.amazon.com/security
Amazon. (2010). AWS completes SAS70 Type II audit. Available from:
http://aws.amazon.com/about-aws/whats-new/2009/11/11/awscompletes-sas70-type-ii-audit/
Archer, J., Boehme, A., Cullinane, D., Kurtz, P., Puhlmann, N., and
Reavis, J. (2010). Top threats to Cloud computing V1.0. Cloud Security
Alliance.
Bayuk, J. L. (2004). Stepping through the IS audit: What to expect, how
to prepare (2nd edition). ISACA.
308
309
BIOGRAPHIES
Klaus Julisch has a Ph.D. in Computer Science from
the University of Dortmund, Germany, and more
than 10 years of experience in information security.
In 1999, he joined the IBM Research Lab in Zurich,
Switzerland, where he developed new security alert correlation techniques for IBMs commercial divisions.
From 2005 to 2007, Dr. Julisch was on assignment to
the Research Headquarters in Yorktown, where he was
instrumental in launching IBMs secure ID card business. Since 2008, Dr. Julisch has been leading a major
research project aimed at improving the security and
compliance of cloud computing.
Michael Hall is the Practice Development Partner
at Forbes Sinclair, an international risk management
advisory company with offices in Madrid, Spain, and
Tampa, Florida. Forbes Sinclairs projects focus on the
implementation of ISO/IEC 27001, ISO/IEC 20000,
BSI 25999, ISO 14001, PAS 99, IT risk analysis, IT
contingency and business continuity planning, training, and application reviews. Hall is one of the initial
founders of Forbes Sinclair in 1998 and is presently
responsible for business development and the overall leadership of work teams in information security
and audit projects. Aside from his activities with
Forbes Sinclair, Hall is an ISO/IEC 27001, ISO/IEC
20000, BSI 25999, ISO 9001 instructor for the British
Standards Institution. He is the author/editor of the
Risk Management Knowledgebase, an electronic encyclopedia of Standards BSI 27001, BSI 20000, Basel II
and Legal Compliance. Halls professional certifications include CISSP (Certified Information Systems
Security Professional) and British Standards Institute
Registered Auditor in the ISO/IEC 27001, ISO/IEC
20000, BSI 25999, ISO/IEC 9001, ISO 14000. He also
holds BS Advanced Auditing Skills Certificates.