Cloud computing and its impact to enterprises’ information security risk landscape

Jyrki Kronqvist

Faculty of Information Technology, University of Jyväskylä, Finland jyrkik@jyu.fi

Abstract

Cloud computing is a new way of delivering computing

resources that promises enterprises meet the increased requirements of lower cost, higher return on investment, increased efficiency, dynamic provisioning and utility-like pay-as-you-go services. While cloud computing is certainly poised to deliver many benefits enterprises should conduct business impact analyses and risk assessments to be aware of potential new risks. This report focuses on cloud computing, how it impacts to information security risk landscape and proposes an approach to enterprises how manage these risks that the appropriate levels of security and privacy are achieved.

1. Introduction

Cloud computing is a term used to describe distributed, on-demand computing services delivered across networks such as internet. Customers and users do not necessarily have control or detailed knowledge of the technology or resources that provide the service or resource. Cloud computing is a new way of delivering computing resources, not a new technology. The premise of the cloud is that by outsourcing portions of information management and IT operations, enterprise workers will be free to improve processes, increase productivity and innovate while the cloud provider handles operational activity smarter, faster and cheaper compared to the traditional.

Security demands in cloud computing differs from the traditional focus of information security today. Nowadays information security functions and arrangements are handled by organization’s own IT department, and while using cloud computing a large portion of security arrangements will lie in the hands of the cloud provider. Adopting cloud computing requires a structured and planned approach for securing organization’s information, services and architecture.

Adopting cloud computing involves relinquishing

control over infrastructure and information and therefore a structured and planned approach for securing

information, services and architecture is a necessity for organisation using the cloud. The structure of this paper is as follows. In section two the definition of cloud computing is briefly described. The section three describes the security benefits of cloud computing, the section four illustrates security risks of cloud computing and in the section five it is discussed how to secure cloud computing. Finally, in the section six, conclusions are drawn. 2. Definition of cloud computing

Cloud computing is still an evolving paradigm and

there are no widely agreed definitions and related terminologies like use cases, underlying technologies, risks, and benefits. Two organizations that have offered a baseline of definitions are the National Institute of Standards and Technology (NIST) [5] and the Cloud Security Alliance [6]. They both define cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Figure 1. Visual Model of Cloud Computing

Definition. Cloud computing is defined more thoroughly as

describing five essential characteristics, three cloud

service models, and four cloud deployment models. They are summarized in visual form in the Figure 1 above and explained in detail in the following subchapters.

2.1 Essential characteristics of cloud computing

Cloud services exhibit the following five essential

characteristics [5]: • On-demand self-service. A consumer can

unilaterally provision computing capabilities such as server time and network storage as needed automatically, without requiring human interaction with a service provider.

• Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g. mobile phones, laptops, and PDAs) as well as other traditional or cloud based software services.

• Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a degree of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources, but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Even private clouds tend to pool resources between different parts of the same organization.

• Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out; and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

• Measured service. Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, or active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the service.

2.2 Cloud service models

Cloud computing services and application are commonly described in terms of the functionality offered. The classifications are often referred to as the “SPI

Model,” where ‘SPI’ refers to Software, Platform or Infrastructure (as a Service) [5]: • Software as a Service (SaaS). The capability

provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (examples Hotmail, Gmail and Yahoo mail). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.

• Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider (examples Amazon Web Services and Microsoft Azure). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

• Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications (examples Amazon EC2). The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of select networking components (e.g. firewalls).

2.3 Cloud Deployment Models

Regardless of the service model utilized (SaaS, PaaS,

or IaaS) there are four deployment models for cloud services, with derivative variations that address specific requirements [5]:• Public Cloud. The cloud infrastructure is made

available to the general public or a large industry group and is owned by an organization selling cloud services.

• Private Cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on-premises or off premises.

• Community Cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g.

mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.

• Hybrid Cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Figure 2. Cloud Deployment Models.

2.4 Cloud reference model Understanding the relationships and dependencies

between the cloud deployment models is critical to understanding cloud computing security risks. IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS as described in the cloud reference model diagram (Figure 3).

This reference model shows that capabilities are

inherited, and so are also information security issues and risks. The reference model is important for relating real-world services to an architectural framework and understanding the resources and services requiring security analysis.

Figure 3. Cloud Reference Model. There are significant trade-offs to each model in terms

of integrated features, complexity, extensibility, and security. Trade-offs between the three cloud deployments models include: • Generally, SaaS provides the most integrated

functionality built directly into the offering, with the least consumer extensibility, and a relatively high level of integrated security (at least the provider bears a responsibility for security).

• PaaS is intended to enable developers to build their own applications on top of the platform. As a result it tends to be more extensible than SaaS, at the expense of customer ready features. This tradeoff extends to security features and capabilities, where the builtin capabilities are less complete, but there is more flexibility to layer on additional security.

• IaaS provides few if any application-like features, but enormous extensibility. This generally means less integrated security capabilities and functionality beyond protecting the infrastructure itself. This model requires that operating systems, applications, and content be managed and secured by the cloud consumer.

As a conclusion, the lower down the stack the cloud

service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.

3. Security benefits of cloud computing Cloud computing has significant potential to improve

security and resilience and therefore security risks of cloud computing must be balanced by a review of its specific security benefits. In this chapter we will focus on the key ways in which cloud computing can contribute [3]: • Security and benefits of scale. All kinds of

security measures are cheaper when implemented on a larger scale. Therefore the same amount of investment in security buys better protection. This includes all kinds of defensive measures such as filtering, patch management, hardening of virtual machine instances and hypervisors, etc. Other benefits of scale include: multiple locations, edge networks (content delivered or processed closer to its destination), timeliness of response, to incidents, threat management.

• Security as a market differentiator. Security is a priority concern for many cloud customers; many of them will make buying choices on the basis of the reputation for confidentiality, integrity and resilience of, and the security services offered by, a provider. This is a strong driver for cloud providers to improve security practices.

• Standardized interface for managed security service. Large cloud providers can offer a standardized, open interface to managed security services providers. This creates a more open and readily available market for security services.

• Rapid, smart scaling of resource. The ability of the cloud provider to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc, to defensive measures (e.g., against DDoS attacks) has obvious advantages for resilience

• Audit and evidence gathering. Cloud computing (when using virtualization) can provide dedicated, pay-per-use forensic images of virtual machines which are accessible without taking infrastructure off-line, leading to less down-time for forensic analysis. It can also provide more cost-effective storage for logs allowing more comprehensive logging without compromising performance.

• More timely, effective and efficient updates and defaults. Default virtual machine images and software modules used by customers can be pre-hardened and updated with the latest patches and

security settings according to fine-tuned processes; IaaS cloud service APIs also allow snapshots of virtual infrastructure to be taken regularly and compared with a baseline. Updates can be rolled out many times more rapidly across a homogenous platform than in traditional client-based systems that rely on the patching model.

• Benefits of resource concentration. Although the concentration of resources undoubtedly has disadvantages for security, it has the obvious advantage of cheaper physical perimiterization and physical access control (per unit resource) and the easier and cheaper application of many security-related processes.

4. Security risks of cloud computing

Many of the risks frequently associated with cloud

computing are not new, and can be found in enterprises today. Well planned risk management activities will be crucial in ensuring that information is simultaneously available and protected. Given the dynamic business environment and focus on globalization, there are very few enterprises that do not outsource some part of their business. Engaging in a relationship with a third party will mean that the business is not only using the services and technology of the cloud provider, but also must deal with the way the provider runs its organization, the architecture the provider has in place, and the provider’s organizational culture and policies.

4.2 Areas of critical focus

In this chapter we list areas of critical focus related to

cloud computing that need to be managed [1], [2], [3] and [7]: • Cloud provider selection. Enterprises need to be

particular in choosing a provider. Reputation, history and sustainability should all be factors to consider. Sustainability is of particular importance to ensure that services will be available and data can be tracked.

• Loss of governance. In using cloud infrastructures, the client necessarily cedes control to the cloud provider on a number of issues which may affect security. At the same time, SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defenses.

• Lock-in. there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services

back to an in-house IT environment. This introduces a dependency on a particular cloud provider for service provision, especially if data portability, as the most fundamental aspect, is not enabled..

• Malicious insider. Third-party access to sensitive information creates a risk of compromise to confidential information. In cloud computing, this can pose a significant threat to ensuring the protection of intellectual property (IP) and trade secrets.

• Data segregation. Public clouds allow high-availability systems to be developed at service levels often impossible to create in private networks, except at extraordinary costs. The downside to this availability is the potential for commingling of information assets with other cloud customers, including competitors.

• Compliciance requirements. Compliance to regulations and laws in different geographic regions can be a challenge for enterprises. At this time there is little legal precedent regarding liability in the cloud. It is critical to obtain proper legal advice to ensure that the contract specifies the areas where the cloud provider is responsible and liable for ramifications arising from potential issues.

• Contitinuity and recovery. Due to the dynamic nature of the cloud, information may not immediately be located in the event of a disaster. Business continuity and disaster recovery plans must be well documented and tested. The cloud provider must understand the role it plays in terms of backups, incident response and recovery. Recovery time objectives should be stated in the contract.

• Insecure or incomplete data deletion. When a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancies and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware.

• Incident Response, Notification and Remediation. Proper and adequate incident detection, response, notification, and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the cloud brings to your current incident handling program.

• Identity and Access Management. Managing identities and leveraging directory services to

provide access control. The focus is on issues encountered when extending an organization’s identity into the cloud. This section provides insight into assessing an organization’s readiness to conduct cloud-based Identity and Access Management (IAM).

• Virtualization. The use of virtualization technology in Cloud Computing. The domain addresses items such as risks associated with multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities, etc. This domain focuses on the security issues surrounding system/hardware virtualization, rather than a more general survey of all forms of virtualization.

• Encryption and Key Management. Identifying proper encryption usage and scalable key management. This section is not prescriptive, but is more informational is discussing why they are needed and identifying issues that arise in use, both for protecting access to resources as well as for protecting data.

4.2 Dark clouds

Cloud computing provides also means to illegal

purposes and may be used by: • Hackers, who can obtain CPU resources to brute-

force password / encryption algorithms • Cyber criminals, who are able to run command and

control networks for botnets, or create the botnets themselves that can be considered a form of cloud computing

• Rogue employees wishing to avoid formal purchasing channels or to host malicious systems outside the corporate boundaries that from the service provider URL may appear to be a legitimate site.

There has also been discussion about the risk of Economic Denial of Sustainability (EDoS) attacks in the cloud [3]. In these attacks, an attacker identifies an organisation that relies upon an on-demand cloud based infrastructure to conduct an aspect of its business (either customer facing or not), and makes bulk requests to it in a form of cyber warfare. The bulk requests cause the cloud infrastructure to scale in response and hence increase the cost (or reduce the quality of service) to the customer organisation.

Fighting an attack of this type may prove challenging,

as the requests could be sent from tens of thousands of nodes in a botnet, with each appearing as legitimate customer or user requests. Attacks may also be made at a low level with the intention to cause long-term increases in expenditure rather than a denial of service. The attacker may have several motivations for launching such an

attack: payment from a third party to launch the attack; the potential to cripple a competitor; and a method of weakening the financial stability of the attack target.

5. How to secure cloud computing

5.1 Cloud reference model

The Cloud Cube Model by Jericho [3] illustrates the

many permutations available in cloud offerings today and presents four criteria and dimensions in order to differentiate cloud ‘formations’ from one another and the manner of their provision, in order to understand how cloud computing affects the way in which security might be approached.

Figure 4. Jericho Cloud Cube Model. The Cloud Cube Model also highlights the challenges

of understanding and mapping cloud models to control frameworks and standards such as ISO/IEC 27002. As such, the differences in methods and responsibility for securing the three cloud service models mean that consumers of cloud services are faced with a challenging endeavor. Unless cloud providers can readily disclose their security controls and the extent to which they are implemented to the consumer and the consumer knows which controls are needed to maintain the security of their information, there is tremendous potential for misguided decisions and detrimental outcomes.

By first classifing a cloud service against the cloud

reference model. Then it is possible to map its security architecture (as well as business, regulatory, and other compliance requirements) against it and carry out a gap-analysis. The result determines the general “security” posture of a service and how it relates to an asset’s assurance and protection requirements.

The Appendix 1 shows an example of how a cloud

service mapping can be compared against a catalogue of compensating controls to determine which controls exist

and which do not as provided by the consumer, the cloud service provider, or a third party. This can in turn be compared to a compliance framework or set of requirements such as PCI DSS.

Once this gap analysis is complete (per the

requirements of any regulatory or other compliance mandates) it becomes much easier to determine what needs to be done in order to feed back into a risk assessment framework. This helps to determine how the gaps and ultimately risk should be addressed: accepted, transferred, and mitigated.

The use of cloud computing as an operational model

does not inherently provide for or prevent achieving compliance. The ability to comply with any requirement is a direct result of the service and deployment model utilized and the design, deployment, and management of the resources in scope.

5.2 Cloud computing security controls

Security controls in cloud computing are mostly

similar than security controls in any IT environment. However, because of the cloud service models employed, the operational models, and the new technologies (Service Objected Architecture (SOA), Web 2.0 and the virtualization of servers and communication infrastructure) used to enable cloud services, cloud computing may present new risks to an organization compared to traditional IT solutions.

Nowadays information security intrastructure are

designed and implemented by organization’s own IT department and may be characterized by the maturity, effectiveness, and completeness of the risk management based security controls. These controls are normally built in one or more layers ranging from the facilities (physical security), to the network infrastructure (network security), to the IT systems (system security), and all the way to the information and applications (application security). Additionally controls are implemented at the people and process levels, such as separation of duties and change management.

Cloud computing holds many attractions like the cost

efficiencies afforded by economies of scale, reuse, and standardization. To atchieve these objectives, cloud providers have to provide services that are flexible enough to serve the largest customer base possible, and maximizing their offering. Unfortunately, cloud providers have challenges to integrating security into these solutions. This often means the inability to gain parity in security control deployment in cloud environments compared to traditional IT. This stems mostly from the

abstraction of infrastructure, and the lack of visibility and capability to integrate many familiar security controls, especially at the network layer.

The Appendix 2 llustrates these issues: in SaaS

environments the security controls and their scope are negotiated into the contracts for service; service levels, privacy, and compliance are all issues to be dealt with legally in contracts. In an IaaS offering, while the responsibility for securing the underlying infrastructure and abstraction layers belongs to the provider, the remainder of the stack is the consumer’s responsibility. PaaS offers a balance somewhere in between, where securing the platform itself falls onto the provider, but securing the applications developed against the platform and developing them securely, both belong to the consumer. Understanding the impact of these differences between service models and how they are deployed is critical to managing the risk posture of an organization.

6. Summary

While cloud computing is certainly poised to deliver

many benefits, it is likely to be adopted by enterprises and should carefully analyse cloud services offerings and architecture models available, map it to a model of compensating security and operational controls, risk assessment and management frameworks, and in turn to compliance standards. Risk management activities must be managed throughout the information life cycle and risks should be reassessed regularly or in the event of a change.

Enterprises that have been considering the use of the

cloud in their environment should be aware that adaption of cloud computing will have implications for their IT and

security infrastructure. They must work with legal, security and assurance professionals to ensure that the appropriate levels of security and privacy are achieved.

References

[1] Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, ISACA®, www.isaca.org/cloud [2] Cloud Computing Business Scenario Workshop, The Open Group, http://www.opengroup.org/cloudcomputing/uploads/40/20362/R091.pdf [3] Cloud Computing Risk Assessment, European Network and Information Security Agency (ENISA), http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment [4] Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration, Jericho Forum, http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf [5] National Institute of Standards and Technology (NIST), http://csrc.nist.gov/groups/SNS/cloud-computing/ [6] Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, Cloud Security Alliance, http://www.cloudsecurityalliance.org/ [7] Seven cloud-computing security risks, Infoworld, http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853

Appendix 1: Mapping the cloud model to the security and control model

Appendix 2: How to intercorporate security in cloud computing