Embed Size (px)
Citation preview
A Survey on Cloud Provider Security
MeasuresAlex Pucher, Stratos Dimopoulos
AbstractCloud computing offers a virtually unlimited amount of resources at flexible pay-as-you-go cost. Many enterprises take advantage of this model already, but security and privacy concerns limit the further adoption of the technology. Cloud providers acknowledge these additional needs of regulated enterprises and government agencies and start offering security certifications and separate tightly controlled “government” cloud infrastructure. This paper is a survey of the published security mechanisms implemented on the most well-known cloud service products like Amazon AWS, Google App engine, Microsoft Azure etc. Our goal is to identify the levels of security they provide. We will analyze different aspects of their systems (certification/standards adherence, authentication/authorization mechanisms, protection from actual attacks etc), compare them and extract valuable results regarding the security levels they offer.
1
Contents
IntroductionAMAZON AWS
OverviewCertification/ Standards Adherence[2]Physical SecuritySecurity Features / Services Security [1]
RackspaceOverviewCertification/ Standards Adherence [14]Physical SecuritySecurity Features / Services SecurityPrivacy
Google CloudOverviewCertification/ Standards AdherencePhysical Security
Microsoft AzureOverviewCertification/ Standards AdherencePhysical SecuritySecurity Features / Services SecurityPrivacy
Microsoft Office 365OverviewCertification/ Standards AdherencePhysical SecuritySecurity Features / Services SecurityPrivacy
SummaryReferencesAppendix - Standards, Certifications, Terminology
2
IntroductionThe flexibility, lower costs and scalability that cloud services can provide for small and big companies, in the private or public sector are more than promising. Nevertheless, the security and privacy concerns are still big enough to limit an even wider adoption of the cloud services. According to a recent microsoft research [75] “58 percent of the public and 86 percent of business leaders are excited about the possibilities of cloud computing” and on the same time “More than 90 percent of them are worried about security, availability, and privacy of their data as it rests in the cloud”. This shows in the most emphatic way that users want to take advantage of the new technology without sacrificing the privacy of their data. This is why the big cloud players are trying to find a solution towards to this direction, having realized that this is the way to attract new customers. Cloud computing providers offer different services to their customers like Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service. In the following picture is clear what each of them implies in terms of the services provided to the customer.
The different aspects of Cloud computing.1
Exactly because of the scale and variety of the different services provided and accordingly the different systems involved, it seems impossible to develop one single security solution that covers everything. Thus, providers often overexaggerate of the security services that they are able to provide. It’s not a long time since Microsoft and Google have been accusing each other of lying about their Google Apps for Government and Microsoft BPOS (Business Productivity
1 The image is from a Max Chand’s presentation, Windows Azure SSP
3
Online Standard Suite) services respectively [69] [70], being certified for use by federal agencies under the Federal Information Security Management Act (FISMA). This is only the tip of the iceberg of an ongoing war that is taking place in the new era of cloud services about which service deals better with the number one concern of cloud users, security and privacy. Strong privacy and security guarantees is what the market demands and this is why Cloud providers are investing in building secure systems and be certified with as many security and privacy certifications as possible. In the next sections we will describe the services provided by the big players of the cloud market, namely Amazon, Google , Microsoft and Rackspace and compare them in terms of their certifications, physical security, security features and privacy they provide. We also provide an appendix to explain the different certifications, standards, audits and terminology mentioned through the document.
AMAZON AWS
Overview Amazon AWS is a cloud computing platform offering an impressive amount of cloud services at all levels and providing customers with great flexibility regarding pricing and resources. Some of the most well known Amazon cloud services are EC2 (Amazon Elastic Compute Cloud) [20] which offers pay-as-you-go computing resources in the cloud, S3 (Simple Storage Service) [21] and EBS (Elastic Block Store) [22], both storage services in the cloud for different purposes and database services such as RDS (Relational Database Service) [23], DynamoDB [24], SimpleDB [25] and ElastiCache [26]. It also offers a lot of monitoring services such as CloudSearch [27] and SWF (Simple Workflow Service) [28].
Certification/ Standards Adherence[2] Amazon has a very comprehensive and convincing description of the certifications and standards that it possesses. The feeling you get by reading their website is that they try to formalize and structure all the security procedures that they follows. A list of all the certifications/ standards and a brief description of what each ensures is provided in the following section. A more detailed description of each standard can be found on a dedicated section that follows
SAS 70 Type II auditsAmazon states that it has completed in the past multiple SAS 70 type II audits.
4
SOC 1/ SSAE 16/ ISAE 3402The SOC 1 report audit attests that AWS’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. This audit replaced SAS 70 type II report
SOC 2Evaluation of controls relevant to: security, availability, processing integrity, confidentiality, and privacy. Evaluation of the design and operating effectiveness of controls that meet the criteria for the security principe set by AICPA ( American Institute of Certified Public Accountants) [3].
ISO 27001 certification [4][5]ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.ISO 27001 certification Includes all AWS data centers in all regions worldwide
PCI DSS Level 1 service provider (Payment Card Industry & Data Security Standard) [3]Merchants and other service providers can now run their applications on Amazon’s PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. PCI Validated Services include:
● Amazon Elastic Compute Cloud (EC2)● Amazon Simple Storage Service (S3)● Amazon Elastic Block Storage (EBS)● Amazon Virtual Private Cloud (VPC)● Amazon Relational Database Service (RDS)● Amazon Elastic Load Balancing (ELB)● Amazon Identity and Access Management (IAM)● Underlying physical infrastructure● AWS Management Environment.
5
ITAR (International Traffic in Arms Regulations)This regulation is supported by the AWS GovCloud[13]. More information about the regulation can be found on the Appendix. This regulation basically restricts access to protected data to US persons and location of the data to US ground.
FIPS 140-2Another regulation that it is supported by the AWS GovCloud[13]. It is a US government security standard and it specifies the security requirements for cryptographic modules protecting sensitive information. Amazon’s Virtual Private Cloud VPN endpoints and SSL terminations in AWS GovCloud (US) operate using FIPS 140-2 validated hardware
Safe HarborAmazon.com including Amazon Web Services LLC are participants in the Safe Harbor program developed by the U.S. Department of commerce and the European Union.
Public sector certificationsAmazon holds a FISMA Moderate certification. This is an authorization from the U.S. General Services Administration to operate at the FISMA Moderate level. More details can be found on the appendix. Amazon has received a three-year FISMA Moderate authorization for IaaS (Infrastructure as a Service) from the General Services Administration.FISMA requires AWS to implement and operate an extensive set of security configurations and controls. This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure, as well as the third-party audit of the established processes and controls.
Guidelines/ Structure for secure practicesApart from the certifications that Amazon holds for its services it also provides to its customers a platform on which they can build to apply for other certifications specific to the application they are using. Healthcare applications compliant with HIPAAS Security and Privacy rules have been build with AWS [6].Moreover, Amazon publishes a set of set practices to have its users aware of what Amazon provides for security and also what they should follow to enhance security when they are using AWS. In particular AWS has completed the CSA Consensus Assessments Initiative Questionare with which provides to its customers a reference to the security existing in the AWS IaaS offerings. Also, AWS commissioned an independent assessment of AWS’s compliance with the MPAA best practices and has achieved the highest maturity rating possible [6].
6
Physical Security Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access.
Security Features / Services Security [1]Amazon provides a number of features that are commonly used in any server environment to ensure security. We didn’t found anything new or specialized here, but the features mentioned seem to be enough to provide a high level of security. Furthermore, seems to pay attention even to very simple features like the reporting of possible vulnerabilities by its customers. As you will see in the next section even this is done in a very well defined way. Nevertheless, many of them are configuration options provided to the customer and for this reason is the customer’s responsibility to use them in the proper way. An extensive list of the features provided in the different levels of Amazon’s platform follows.
Strong cryptographic methods Amazon is using strong cryptographic methods (names of the methods are not provided) to authenticate users, HTTPS support and web service interfaces to configure firewalls and other security features.
Configurable web service interfacesConfigurable web service interfaces are provided to allow the customer to configure firewall access and network access to their databases. For instance, Amazon RDS allows customers to run their database instances on Amazon’s virtual private cloud.
Security Credentials There are three types of credentials used [8]:
● Access credentials (Access keys, X.509 certificates and key pairs)● Sign-in credentials (email address, password, AWS multi-factor authenticated device)
○ See below for AWS multi-factor authenticated device details.● Account identifiers (account ID and canonical user ID)
7
AWS Identity and Access Management (IAM)AWS IAM allows for multiple users creation and permission management. It also eliminates the need to share passwords or access keys. More details can be found on the Privacy section that follows. [9]
AWS Multi-Factor Authentication (AWS MFA)AWS multi-factor authenticated device is provided from a third-party provider, Gevalto and customers can purchase it to increase their security. Then each time they authenticate need to provide both AWS email ID and password (1st factor) and the code from the authentication device (2nd factor)
Key RotationEnables access keys and certificates rotation without impact on the applications availability (ie: supports multiple concurrent access keys and certificates)
Vulnerability Reporting / Penetration Testing RequestsAmazon provides reporting processes for security vulnerabilities [10] and penetration testing [11]. Despite the fact that this sounds like a very simple task, Amazon puts some sophistication on this by using the Common Vulnerability Scoring System (CVSS) [35] to evaluate potential reported vulnerabilities and prioritize the most important ones.Regarding penetration testing, Amazon give its customers the ability to apply penetration testing to their services and ofcourse this has to be done after Amazon’s approve in order to distinguish from a regular attack.
Security BulletinsThis is a service provided by Amazon in order to notify customers about security and privacy events with AWS services. [36]
Signed PGP Public KeyAs simple as it sounds. This is a PGP key for the customers that wish to use it for added security. [12]
Network SecurityThe following are a list of how Amazon deals with potential network vulnerabilities and attacks.
8
● Distributed Denial Of Service (DDoS) Attacks○ Proprietary DDoS mitigation techniques are used. ○ AWS’s networks are multi-homed across a number of providers to achieve
Internet access diversity.● Man In the Middle (MITM) Attacks
○ All of the AWS APIs are available via SSL-protected endpoints which provide server authentication.
● IP Spoofing
○ Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
● Port Scanning○ Its a violation of its policy and can be reported. When it is detected it is stopped
and blocked.○ Its up to the customer to take appropriate security measures to protect listening
services that may be essential to their application from being discovered by an unauthorized port scan.
● Packet sniffing by other tenants○ Even two virtual instances that are owned by the same customer located on the
same physical host cannot listen to each other’s traffic.○ Attacks such as ARP cache poisoning do not work within Amazon EC2 and
Amazon VPC. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers should encrypt sensitive traffic.
Data Privacy [1]
Data accessAmazons supports several mechanisms to configure who, when and where can access the data. For example Amazon S3, provides 4 different access mechanisms [30].
○ Identity and Access Management (IAM) policies [34]■ IAM enables the creation and management of multiple users under a single
account and their corresponding roles. Moreover there is a capability for identity federation between customers corporate directory and AWS services, enabling users to use their corporate identities to grant access to AWS services. To allow the creation of “federate users” Amazon allows the creation of temporary security credentials, comprised of short-lived access keys and session tokens associated with these keys. The permission of these temporary credentials are at most equal to the IAM user who created them, but they can also be restricted in more limited permissions.
○ Access Control Lists (ACLs)
9
■ Add/ remove permission to individual objects○ Bucket policies
■ Same as above but for permissions across some or all of the objects within a singly bucket
○ Query string authentication■ Capability to share Amazon S3 objects through URLs that are valid for a
predefined time.
VPC (Amazon Virtual Private Cloud) Amazon VPC [32] let users use a private and isolated portion of the cloud where they can configure their IP addresses range, create subnets, configure routing tables and gateways and lunch in this environment various AWS services. In RDS for example users can isolate their database instances by specifying the IP range they wish to use and connecting to their infrastructure through encrypted IPsec VPN. This is a service currently supported by all the RDS DB engines. Another example of the usage of VPC is that users could configure their S3 data to be accessible only through instances in their VPC. For even better isolation they can run Amazon’s EC2 dedicated instances [33] inside the VPC, which ensures isolation on the hardware level by running hardware dedicated to a single customer. Customers have the flexibility to mix both dedicated or not dedicated instances inside one VPS or use them in separate VPCs.
AWS GovCloud(US) AWS GovCloud [13] is the top level of isolation that Amazon provides. It allows US government agencies and customers to move more sensitive workloads. It is a separate region (GovCloud Region) physically and logically accessible by U.S. persons only. Appropriate workloads for the GovCloud are:
○ Controlled Unclassified Information (CUI) including ITAR○ Government oriented publically available data
Amazon GovCloud adheres to ITAR and supports FIPS 140-2.
Data EncryptionAmazon allows for encryption of personal and business data. On S3 for example all data uploaded or downloaded is via SSL encrypted endpoints and using the HTTPS protocol. It also provides a client encryption library[29] for those prefer to manage their own encryption keys (in this case the keys are encrypted on the client site) and Amazon SSE (Server Side Encryption) for those who prefer to let Amazon S3 managing their keys[31].
10
History LogsAmazon allows customers to have the option to enable logs in some of their services (for example Amazon S3 buckets), a functionality that is helpful to track the requests made and probably used for auditing purposes.
Rackspace
Overview Rackspace provides a great variety of cloud services including IaaS and SaaS. Provides to its clients servers on demand and a RESTful API (OpenStack API [16]) to launch and control the cloud servers. It also provides cloud hosting services for websites and files (in a partnership with Akamai [18]), block storage, container-based virtualization and redundant storage for high performance MySQL database on the cloud, backup services, load balancing, monitoring, free DNS management and a private cloud for increased privacy. Moreover Rackspace has an open approach as it is powered by OpenStack[16] the cloud’s open source operating system and it also offers hybrid services, combining both cloud and dedicated servers.
Certification/ Standards Adherence [14]
The certifications that Rackspace possesses are not presented in a structured way and it is also confusing whether they actually possess some of the standards or they agree that these standards should be met by a cloud vector for potential clients that need them [74]. Certifications that Rackspace holds are ISO 27001/2 based policies that is reviewed at least annually and possible PCI/DSS and HIPAA-BAA. It is also not clear if they are performing SAS 70 type II and SOC 1 type 1 & 2 audit reports. Moreover there are some general arguments regarding secure document and media destruction, independent reviews performed by third parties, continuous monitoring and improvement of the security program and security organization of the company.
Physical Security
The following is a list of the practices that Rackspace follows to ensure the physical security of its services:
11
● Data center access is limited to only authorized personnel● Badges and biometric scanning for controlled data center access● Security camera monitoring at all data center locations● Access and video surveillance log retention● 24x7x365 onsite staff provides additional protection against unauthorized entry● Unmarked facilities to help maintain low profile● Physical security audited by independent firms annually
Security Features / Services Security Again, Rackspace fails to present its security features in a unified way. Instead there are security measures and protocols on the descriptions of the various services that it provides.
Network SecurityRackspace incorporates software defined networking and claims that this way customers are able to create completely isolated networks.
EncryptionAES (Advanced Encryption Standard) is used with 256 bit key for the backup service [17]
Private ContainersPrivate Containers is a feature provided for the RackSpace Files service and ensures that all the traffic between the customers application and Cloud Files uses SSL to establish a secure and encrypted channel.
Modified Medium TrustRackSpace cloud window environment operates in modified medium trust (instead of full trust) to protect the security, scalability and performance of the users, by eliminating the potential for application interference. Applications, under medium trust have no registry access and no access to the Windows event log. Also both network and file system access is limited.
Privacy Rackspace offers the “private cloud” [15] to increase privacy. A server environment based on OpenStack, downloadable ISO package, that can be hosted on the client’s data center, on rackspace or on a third party’s data center and can be managed with or without the support of Rackspace.
12
Google Cloud
OverviewGoogle’s cloud platform includes the App engine, compute engine, cloud storage, BigQuery, Cloud SQL, the prediction and the translation APIs. Google employs a multi-layered security strategy. A distinguished more secure service is the Google Apps for government, for which we have dedicated a separate section [57]. Google provides information about 13 datacenter locations [41] and an uptime guarantee of 99.9%. (without specific time range)
Certification/ Standards Adherence Google doesn’t refer to the different standards that it uses to ensure security of its cloud services. We assume that this is happening because these standards are common with the other Google services and for this reason they are omitted. Recently they referred to their blog[] that they completed a SSAE 16 / ISAE 3402 SOC 2 Type II report which covered Apps, AppsVault, Apps Script, App Engine and the Cloud Storage. Also, there is a reference to the standards followed by the Google apps for government that support greater security and privacy than the rest of the cloud services provided by Google.
Google Apps for government● FISMA Moderate (from Dept of Interior)● HIPAA (Webmail). A standard for protecting health information. ● PCI DSS (Webmail)● SSAE 16 and ISAE 3402 Type II audit [40]● SAS70● Safe Harbor [73]● Two factor authentication: Google apps for government includes an extra layer of
security with two factor authentication which reduces the danger of having data stealed.
Physical SecurityGoogle claims that only select Google employees have access to the datacenter facilities and this access is controlled and audited. Heat-sensitive cameras, biometric verification, authentication mechanisms and permit entry to authorised personnel are some of the measures Google takes to ensure the security of its data centers.
13
Security Features / Services SecurityGoogle provides a great number of security features and policies to prevent threats and formalize infrastructure management procedures. As you can see there is no significant difference between the protection of cloud services and any other traditional system. Everything that would make sense for the protection of a server or data center is also applied in the Google cloud.
Malware ProtectionGoogle uses manual and automated scans to find websites that can be the source of malware or phishing[58]. The blacklists of these scans have been incorporated in many google products on servers and workstations. Apart from this general statement, Google doesn’t specify how this is adapted to its cloud products.
MonitoringNetwork analysis is supplemented by automated analysis of system logs to help determine whether an unknown threat exists for Google systems.
Vulnerability ManagementFor vulnerability management many commercial and proprietary products are used to detect and manage vulnerabilities in a timely manner. Automated and manual penetration tests, quality assurance processes, software security reviews and external audits are some of the security measures used. Incident Management
Incident ManagementThis is a 24/7 service provided by the Google security group to ensure that any security related event is treated with priority according to its severity and as fast as possible.
Network SecurityFor network security Google does the following:
● Use and management of firewalls and ACL technology● Restricting access of network devices only to authorized personnel● External traffic is routed through custom front-end servers. This helps detect and stop
malicious requests.● Improved monitoring using internal aggregation points● Examination of logs to exploit programming errors
Transport Layer SecurityGoogle uses HTTPS to secure browser connections.
14
Operating System SecurityGoogle uses a modified version of Linux that supports only the necessary services for the Google products to run. Privacy There are is not something specific referred to privacy protection but for the fact that in the government cloud user data is not scanned and used for displaying ad messages. Users are in control of who and how they share their data.
Microsoft Azure
OverviewMicrosoft Azure is a cloud offering in the IaaS, PaaS and SaaS space. It includes traditional IaaS Virtual Machine hosting, BLOB storage and software-defined networking and extends to the PaaS area with hosted web services, database instances and batch-processing frameworks. Additionally, cross-cutting concerns such as user authentication, reliable messaging and content-delivery are addressed with specific services. The Azure service is typically accessed via a REST-API and web interfaces and delivered from 4 datacenters in the US, 2 in Europe and 2 in Asia.
Certification/ Standards AdherenceMicrosoft makes publicly available a summary of their security measures and policies. However, specifics on their Information Security Policy may only be obtained under a NDA agreement. Additionally, Microsoft provides the “Windows Azure Trust Center” web portal which breaks down certifications per service. For the IaaS offerings Microsoft Azure claims adherence to the ISO 270001 and HIPAA standard and performs annual SAS70 audits. A SOC 1 type 2 audit for networking, storage and hosted web services is available under NDA.
15
Physical SecurityMicrosoft emphasizes the compliance with ISO 270001 in connection with physical security measures taken. Explicitly, the following procedures are mentioned:
● Access control at all facilities● Personal identification with badges or biometrics required at all times● Regular audits of access lists● Video surveillance● Two factor authentication for physical access● Non-advertized datacenter locations● Additionally locked perimeters inside data centers● Off-site equipment and personnel must be authorized by dedicated staff.
Security Features / Services Security
GeneralMicrosoft Azure integrates Microsoft’s Security Development Lifecycle (SDL) guidelines [60]. Microsoft SDL is a software development security assurance process grouped in seven different phases. These are training, requirements, design, implementation, verification, release and response.
Operations PersonnelOther security precautions are background check and security training for personnel, non-disclosure agreements and the least possible privilege enough for the personnel to carry
16
out their duties. Moreover there are multiple levels of monitoring, logging and reporting and combination of controls to detect malicious activity.
Network administrationAzure’s internal network is isolated with strong filtering from external traffic. Administration of the network devices is applied only by authorized personnel. An RPC-accessible API is provided that accepts commands from SMAPI (Storage Management API). Detailed information regarding the encryption that can be used while building a product with .net on Windows Azure can be found on [61]
Privacy Microsoft privacy is based in a number of principles as described on the privacy in the cloud white paper [63]. These principles include:
● Accountability in handling personal information● Notice to individuals about the data collection procedures● Collection of individuals’ data only for the reasons provided in the privacy notice● Choice and consent of individuals regarding the collection and use of personal
information● Use and retention of personal information in accordance with the privacy notice● Disclosure or onward transfer to vendors and partners in a security enhanced manner
and only for the purposes provided in the privacy notice● Quality assurance to ensure that personal information is accurate and relevant to the
purpose for which it was collected● Access to individuals to inquire about, view or update their personal data● Enhanced security to help protect against unauthorized access● Monitoring and enforcement of compliance with the privacy policies.
In general the biggest difference between traditional IT services and the cloud is that in the later case the customer organization are those who control and set policies related to how its customers or employees data is handled in the cloud. Microsoft has developed data handling processes in its agreements with business and government customers. The information provided on Windows Azure Security Overview regarding privacy is limited to the statement “Windows Azure Storage is designed to ensure customer deleted data is faithfully and consistently erased.” As described in the Windows Azure Privacy Statement [62] microsoft retains the right to replicate data between different sub-regions, if customers haven’t disable this feature, but in any case data will not be transferred outside the major geographic region. Last, Microsoft supports efforts to enable the development of globally consistent policy frameworks that both support privacy protection and enable data flow from data centers located in countries with divergent rules and laws.
17
Microsoft Office 365
OverviewUnder the label of Office 365 Microsoft offers a range of subscription-based SaaS services for collaboration and productivity tools. These include hosted instances of their collaboration products Exchange and SharePoint, online tools for text processing, spreadsheets and presentations and offer tight integration with their desktop-based Office suite.The service is offered at different levels of security to fulfill additional requirements of FISMA, ITAR or EU Model Clauses. The name for the FISMA compliant services is BPOS-Federal.
Certification/ Standards AdherenceMicrosoft Office 365 is not differentiated much from the other cloud products of Microsoft, as you can see in the following list of certifications.
● ISO 270001● Safe Harbor● EU Model Clauses● HIPAA-BAA● FISMA (by Broadcasting Board of Governors)● ITAR (by States Department of Agriculture)
Physical SecurityThe physical security model offered for Microsoft Office 365 is equivalent to Microsoft Azure and the other cloud products of Microsoft.
Security Features / Services SecurityMicrosoft Office 365 doesn’t differ significantly to the other Microsoft cloud products regarding the security features that are being offered. These features include malware protection for servers and customer data, anti-spam service, intrusion detection, microsoft online IDs and Federated IDs as options for user authentication. Moreover, Microsoft performs regular audits and proactive monitoring to ensure the security of their systems and predict vulnerabilities respectively. All connections established to Office 365 are encrypted using 128-bit SSL/TLS encryption. Encryption is provided on several layers, such as Transport Layer, encryption between clients and Exchange Online (SSL), Instant Messaging and IM federation. Also there is support for S/MIME, Active Directory Rights Management Services or PGP. Office 365 currently does not encrypt data at rest, however, the customer may do so through IRM or RMS.
18
PrivacyOffice 365 provides an extensive collection of documentation on data privacy. Some information is accessible through the Microsoft Trust Center [37] web portal and the Office 365 privacy whitepaper [38]. The details of the Information Security Policy are only available under NDA. [39] Specific privacy features are presented in the following list.
● Office 365 abides to privacy-relevant standards such as EU Model clauses and HIPAA● Microsoft guarantees not to use customer data for advertising or run data analytics
without the customer’s consent. This may be an integral part of the license agreement however.
● An auditable and formal process for access of customer data by Microsoft staff is provided.
● Customers can define geographic boundaries for data storage and processing. Notifications are provided in case changes are required or violations are observed.
● The service allows separation of data between the customer and Microsoft consumer services. There isn’t any mention of specific mechanisms however.
● Finally, there is a private cloud offering of Office 365 in cooperation with VMWare
19
Summary On the following table you can see a summary of the different certifications or audits that each provider is compliant to (Fields with a question mark indicate that is not clear whether the provider has the certification):
Amazon AWS Google Cloud Microsoft Cloud
RackSpace
SAS 70 Type II Audits
SOC 1 Type 1 & 2 reports
SOC 2
SSAE 16 standard
ISAE 3402 standard
ISO 27001 certification
PCI/ DSS
HIPAA-BAA
CVSS
Safe Harbor
FISMA
ITAR
FIPS
20
Note that as long as the provider has even one service that complies with a certification we consider this as the whole cloud of this provider complies with the certification. Of course this is not true and was actually a reason of legal fights between the different providers but we do this just for comparison reasons in the high level. For example Microsoft cloud as presented in the following table includes both Azure and Office 365 and when a certification exists this doesn’t mean that it is applied for both services. Similarly, there are Google Cloud services like gmail for example that are not ITAR compliant, since gmail servers rely in all over the world and not just in the US, but we consider Google Cloud to possess these certifications. Regarding the physical security more or less all providers offer the same level of security. Furthermore, the physical security provided doesn’t differ from the security need for other traditional data centers. The security features provided by the major cloud providers differ more in the way they presented and advertized and less in their actual value. Maybe the details could make the difference, but details is something that the providers reveal only under a MDA agreement. Overall, we think that the security features provided are sufficient to protect the systems involved in a cloud platform. After all, there is no significant difference between the protection of cloud services and any other traditional system. When it comes to privacy, Amazon, Microsoft and Google offer solutions with a very high level of privacy, enough to be used from government agencies and the army. Google misses some of the certifications needed for this purpose or at least it doesn’t publish them online. Rackspace doesn’t provide solutions for the Government and accordingly it doesn’t possess the required certifications.
Conclusion In this survey we tried to dig into the details of the security and privacy offerings of four big cloud providers. The security measures provided in the cloud do not differ significantly compared to any other large-scale, complex system and this is why all the providers we examined in this survey are certified to provide most of the required security features. An area that they differ is this of the “government” sector, for which special and more strict guarantees for privacy and security is required. Another point that we would like to mention is the difficulties we encountered to gather and verify this information. In the best case, some of the providers don’t advertise this information in a compact way. Even worse, sometimes they give the impression that they possess a particular certification for all their services, while in fact this certification concerns only a part of them. Overall, though we think that there are important steps already taken in the correct way and that the competition and the maturity of the services as the time pass will help to settle down most of the concerns that users have regarding the privacy of their data.
21
References*All online documents were last checked on 12/12/7 [1] http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf[2] http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf[3] http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/[4] http://www.27000.org/iso-27001.htm[5] http://aws.amazon.com/security/iso-27001-certification-faqs/[6] http://www.hhs.gov/ocr/privacy/[7] http://www.fightfilmtheft.org/facility-security-program.html[8] https://portal.aws.amazon.com/gp/aws/securityCredentials[9]http://aws.amazon.com/iam/[10] http://aws.amazon.com/security/vulnerability-reporting/[11] http://aws.amazon.com/security/penetration-testing/[12] https://aws.amazon.com/security/aws-pgp-public-key/[13] http://aws.amazon.com/govcloud-us/[[14]http://bd905956a42f6ed96c17-a6046798c661ed27e3d4fdfd1b3c5e5a.r62.cf1.rackcdn.com/whitepapers/security/Rackspace_Security.pdf[15] http://www.rackspace.com/cloud/private/[16] http://www.openstack.org/[17] http://www.rackspace.com/cloud/public/backup/[18] http://www.akamai.com/[19] http://www.rackspace.com/knowledge_center/article/modified-medium-trust-on-cloud-sites[20] http://aws.amazon.com/ec2/[21] http://aws.amazon.com/s3/[22] http://aws.amazon.com/ebs/[23] http://aws.amazon.com/rds/[24] http://aws.amazon.com/dynamodb/[25] http://aws.amazon.com/simpledb/[26] http://aws.amazon.com/elasticache/[27] http://aws.amazon.com/cloudsearch/[28] http://aws.amazon.com/swf/[29]http://docs.amazonwebservices.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3EncryptionClient.html[30] http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingAuthAccess.html[31] http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingClientSideEncryption.html[32] http://aws.amazon.com/vpc/[33] http://aws.amazon.com/dedicated-instances/[34] http://aws.amazon.com/iam/[35] http://www.first.org/cvss[36] https://aws.amazon.com/security/security-bulletins/
22
[37] https://www.microsoft.com/en-us/office365/trust-center.aspx[38] “Privacy in the public cloud: The Office 365 approach” (2011) Microsoft[39] “Standard Response to Request for Information - O365” (2011, v2) Microsoft[40] https://support.google.com/a/bin/answer.py?hl=en&answer=60762[41] https://www.google.com/about/datacenters/inside/locations/index.html[42] http://www.sas70.us.com/services/sas70-typeii-audit.php[43]http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc1report.aspx[44] http://www.ssae-16.com/[45] http://isae3402.com/[46] http://www.27000.org/ismsprocess.htm[47] https://www.pcisecuritystandards.org/index.php[48]http://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act[49] http://www.fisma.org/[50] http://www.diacap.net/[51]http://govitwiki.com/wiki/Defense_Information_Assurance_Certifications_and_Accreditation_Process_(DIACAP)[52] http://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations[53] http://www.itl.nist.gov/fipspubs/geninfo.htm[54] http://en.wikipedia.org/wiki/FIPS_140[55] http://www.first.org/cvss[56] http://en.wikipedia.org/wiki/CVSS[57] https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf[58]http://googlewebmastercentral.blogspot.com/2008/10/malware-we-dont-need-no-stinking.html[59]http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/37672.pdf[60]http://msdn.microsoft.com/en-us/library/windows/desktop/84aed186-1d75-4366-8e61-8d258746bopq.aspx[61] http://msdn.microsoft.com/en-us/magazine/ee291586.aspx[62] http://www.windowsazure.com/en-us/support/legal/privacy-statement/[63] http://go.microsoft.com/?linkid=9694913&clcid=0x409[64] http://www.wilmerhale.com/publications/whPubsDetail.aspx?publication=9532[65] Security in Office 365 Whitepaper: http://tinyurl.com/cj4x4pt[66] http://searchdatamanagement.techtarget.com/definition/HIPAA[67]http://searchhealthit.techtarget.com/definition/HIPAA-business-associate-agreement-BAA[68] http://www.privacytrust.org/guidance/safe_harbor.html[69] http://gigaom.com/cloud/why-microsoft-and-google-are-fighting-dirty-over-uncle-sam/[70]http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/04/11/google-s-misleading-security-claims-to-the-government-raise-serious-questions.aspx[71] http://broadcast.rackspace.com/downloads/pdfs/RackspaceSAS70.pdf
23
[72]http://c1776742.cdn.cloudfiles.rackspacecloud.com/downloads/pdfs/Rackspace_SOC1TypellReport.pdf[73] https://developers.google.com/appengine/terms[74]http://www.rackspace.com/knowledge_center/whitepaper/moving-your-infrastructure-to-the-cloud-how-to-maximize-benefits-and-avoid-pitfalls[75] http://research.microsoft.com/pubs/80240/dwork-tcc09.pdf
Appendix - Standards, Certifications, Terminology
SAS 70 Type II AuditsThe goal of SAS 70 type II audits is to examine operation controls and test operation effectiveness. These audits usually last from four to ten months or the duration could vary depending on the project. Going into a type II audit doesn’t necessarily means that a company should first undergo a type I audit. [42]
SOC 1 Type 1 & 2 reportsSoc 1 reports [43] evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. They are important over financial report for purposes of complying with laws and regulations. There are two types of such reports:
● Type 1: “report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.”
● Type 2: “report on the fairness of the presentation of management’s description of
the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.”
As you can understand from the above definitions the only difference between these reports is that type 2 report adds the “operating effectiveness” to whatever type 1 reports already require.
SOC 2
24
SOC 2 examines the details of data center testing and operational effectiveness.
SSAE 16 standardThese are standards under which the SOC 1 report should be issued. It came as an enhancement to the SAS70 standard and its most up to date with the new international service organization reporting standards, the ISAE 3402. [44] ISAE 3402 standardInternational Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization allows public accountants to issue a report for use by user organizations and their auditors on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting. [45]
ISO 27001 certification The ISO 27001 defines specific requirements to bring information security under explicit management control. This means that the security controls of the company are systematically examined in a unified way. The different security aspects include information security risks, vulnerabilities but also physical security practices. [46] The certification usually involves a three-stage external audit process.
● The first stage is a preliminary stage used mostly to familiarize the organization with the auditors.
● The second stage is a thorough examination of the design and implementation of the information security management system. After this stage the ISMS is certified as ISO 27001 compliant.
● The third stage includes follow ups and reviews to ensure that the ISMS remains in compliance with the standard.
In the following diagram the process a company needs to follow to comply with the certification is described:
25
26
Payment Card Industry (PCI), Data Security Standard (DSS)The intention of this standard is to help organizations that handle cardholder information for debit, credit cards etc to proactively protect their customers account data from fraud [47]. Nevertheless, the effectiveness of this standards has been criticized as providing just a minimal baseline for security.
FISMAThe Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats.[48] Depending on the risk level of sensitive information there are 3 different security categories for FISMA, namely Low, Moderate and High. Each level has some minimum requirements and builds on the previous one.FISMA requires federal agencies to have an information security system for their data and infrastructure. FISMA levels require from cloud companies to implement an extensive set of security controls, including the documentation of management, operational and technical processes used to secure the physical and virtual infrastructure and also conducting third party audits. [49]
Defense Information Assurance Certification and Accreditation Program (DIACAP)DIACAP[50] is part of the the USA department of defence and ensures that risk management is applied on information systems. It includes the following 5 phases [51]
● Initiate and Plan● Implement and Validate● Make C&A Decisions● Maintain ATO/Reviews● Decommission
ITAR (International Traffic in Arms Regulations)Anyone related to defense articles, services or data should comply to ITAR, according to the US government requirements. To be ITAR compliant a company should register with DDTC (Directorate of Defense Trade Controls) to know what is needed to be ITAR compliant. ITAR regulations in short prohibit any material related to defense to be shared or resold to non U.S. persons without previous authorization from the U.S. department of state. [52]
FIPS (Federal Information Processing Standards) publication 140-2FIPS pronouncement have been developed by the U.S. government to standardize codes as the DES (Data Encryption Standard) and AES (Advanced Encryption Standards) [53].The FIPS 104.2 publication is used to accredit cryptographic modules that include both software and hardware components for use by the departments and agencies of the United States federal government. Compliance with FIPS 140.2 doesn’t necessarily means that a system is
27
secure. There are 4 different levels defined under FIPS [54]:● Level 1: Imposes very limited requirements● Level 2: Adds requirements for physical tamper-evidence and role-based authentication.● Level 3: Builds on level 2 to add physical tamper-resistance and identity-based
authentication.● Level 4: Stronger physical requirements and robustness against environmental attacks
CVSS (Common Vulnerability Scoring System)CVSS provides a universal open and standardized method for rating IT vulnerabilities [55]. The CVSS measures three areas [56]:
1. Base Metrics for qualities intrinsic to a vulnerability.2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability.3. Environmental Metrics for characteristics of a vulnerability that depend on a particular
implementation or environment. HIPAA (Health Insurance Portability and Accountability Act)HIPAA is the united states health insurance portability and accountability act of 1996. HIPAA seeks to establish standardized mechanisms for electronic data interchange ( EDI ), security, and confidentiality of all healthcare-related data. [66]
HIPAA-BAAThis is a contract between HIPAA covered entity and a HIPAA associate to protect personal health information in accordance with HIPAA guidelines. [67]
EU Model ClausesThe EU model clauses restrict the transfer of personal data to countries outside the European Economic Area (EEA), unless the recipient is located in a country with an “adequate level of data protection”. Notable this doesn’t include the US. [64]
Safe HarborUS-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data. [68]
28
