[Unit 4: Security in Cloud Computing]

Cloud Computing (CSC-458)

Jagdish Bhatta

Central Department of Computer Science & Information Technology

Tribhuvan University

1
Cloud Computing Chapter- Building Cloud Networks

Cloud Security Challenges:

Software as a Service Security:

The seven security issues which one should discuss with a cloud-computing vendor:
1. Privileged user access —inquire about who has specialized access to data, and
about the hiring and management of such administrators.
2. Regulatory compliance—make sure that the vendor is willing to undergo external
audits and/or security certifications.
3. Data location—does the provider allow for any control over the location of data?
4. Data segregation —make sure that encryption is available at all stages, and that
these encryption schemes were designed and tested by experienced professionals.
5. Recovery —Find out what will happen to data in the case of a disaster. Do they
offer complete restoration? If so, how long would that take?
6. Investigative support —Does the vendor have the ability to investigate any
inappropriate or illegal activity?
7. Long-term viability —What will happen to data if the company goes out of
business? How will data be returned, and in what format?

To address the security issues listed above, SaaS providers will need to incorporate and
enhance security practices used by the managed service providers and develop new ones as
the cloud computing environment evolves. The baseline security practices for the SaaS
environment as currently formulated are discussed in the following sections.

- Security Management (People): One of the most important actions for a security team
is to develop a formal charter for the security organization and program. This will foster a
shared vision among the team of what security leadership is driving toward and expects,
and will also foster “ownership” in the success of the collective team. The charter should
be aligned with the strategic plan of the organization or company the security team works
for. Lack of clearly defined roles and responsibilities, and agreement on expectations, can
result in a general feeling of loss and confusion among the security team about what is

Jagdish Bhatta
8
Cloud Computing Chapter- Building Cloud Networks

expected of them, how their skills and experienced can be leveraged, and meeting their
performance goals. Morale among the team and pride in the team is lowered, and security
suffers as a result.

- Security Governance: A security steering committee should be developed whose

objective is to focus on providing guidance about security initiatives and alignment with
business and IT strategies. A charter for the security team is typically one of the first
deliverables from the steering committee. This charter must clearly define the roles and
responsibilities of the security team and other groups involved in performing information
security functions. Lack of a formalized strategy can lead to an unsustainable operating
model and security level as it evolves. In addition, lack of attention to security governance
can result in key needs of the business not being met, including but not limited to, risk
management, security monitoring, application security, and sales support. Lack of proper
governance and management of duties can also result in potential security risks being left
unaddressed and opportunities to improve the business being missed because the security
team is not focused on the key security functions and activities that are critical to the
business.

- Risk Management: Effective risk management entails identification of technology

assets; identification of data and its links to business processes, applications, and data
stores; and assignment of ownership and custodial responsibilities. Actions should also
include maintaining a repository of information assets. Owners have authority and
accountability for information assets including protection requirements, and custodians
implement confidentiality, integrity, availability, and privacy controls. A formal risk
assessment process should be created that allocates security resources linked to business
continuity.

- Risk Assessment: Security risk assessment is critical to helping the information security
organization make informed decisions when balancing the dueling priorities of business
utility and protection of assets. Lack of attention to completing formalized risk assessments
can contribute to an increase in information security audit findings, can jeopardize

Jagdish Bhatta
8
Cloud Computing Chapter- Building Cloud Networks

certification goals, and can lead to inefficient and ineffective selection of security controls
that may not adequately mitigate information security risks to an acceptable level. A formal
information security risk management process should proactively assess information
security risks as well as plan and manage them on a periodic or as-needed basis. More
detailed and technical security risk assessments in the form of threat modeling should also
be applied to applications and infrastructure. Doing so can help the product management
and engineering groups to be more proactive in designing and testing the security of
applications and systems and to collaborate more closely with the internal security team.
Threat modeling requires both IT and business process knowledge, as well as technical
knowledge of how the applications or systems under review work.

- Security Monitoring and Incident Response: Centralized security information

management systems should be used to provide notification of security vulnerabilities and
to monitor systems continuously through automated technologies to identify potential
issues. They should be integrated with network and other systems monitoring processes
(e.g., security information management, security event management, security information
and event management, and security operations centers that use these systems for
dedicated 24/7/365 monitoring). Management of periodic, independent third-party security
testing should also be included. Many of the security threats and issues in SaaS center
around application and data layers, so the types and sophistication of threats and attacks for
a SaaS organization require a different approach to security monitoring than traditional
infrastructure and perimeter monitoring. The organization may thus need to expand its
security monitoring capabilities to include application- and data-level activities. This may
also require subject-matter experts in applications security and the unique aspects of
maintaining privacy in the cloud. Without this capability and expertise, a company may be
unable to detect and prevent security threats and attacks to its customer data and service
stability.

- Third-Party Risk Management: As SaaS moves into cloud computing for the storage
and processing of customer data, there is a higher expectation that the SaaS will effectively
manage the security risks with third parties. Lack of a third-party risk management
program may result in damage to the provider’s reputation, revenue losses, and legal

Jagdish Bhatta
8
Cloud Computing Chapter- Building Cloud Networks

actions should the provider be found not to have performed due diligence on its third-party
vendors.

Security Architecture Design:

A security architecture framework should be established with consideration of processes

(enterprise authentication and authorization, access control, confidentiality, integrity, non-
repudiation, security management, etc.), operational procedures, technology specifications,
people and organizational management, and security program compliance and reporting. A
security architecture document should be developed that defines security and privacy
principles to meet business objectives. Documentation is required for management controls
and metrics specific to asset classification and control, physical security, system access
controls, network and computer management, application development and maintenance,
business continuity, and compliance. A design and implementation program should also be
integrated with the formal system development life cycle to include a business case,
requirements definition, design, and implementation plans. Technology and design
methods should be included, as well as the security processes necessary to provide the
following services across all technology layers:

1. Authentication
2. Authorization
3. Availability
4. Confidentiality
5. Integrity
6. Accountability
7. Privacy

The creation of a secure architecture provides the engineers, data center operations
personnel, and network operations personnel a common blueprint to design, build, and test
the security of the applications and systems. Design reviews of new changes can be better

Jagdish Bhatta
8
Cloud Computing Chapter- Building Cloud Networks

assessed against this architecture to assure that they conform to the principles described in
the architecture, allowing for more consistent and effective design reviews.

Vulnerability Assessment:

Vulnerability assessment classifies network assets to more efficiently prioritize

vulnerability-mitigation programs, such as patching and system upgrading. It measures the
effectiveness of risk mitigation by setting goals of reduced vulnerability exposure and
faster mitigation. Vulnerability management should be integrated with discovery, patch
management, and upgrade management processes to close vulnerabilities before they can
be exploited.

Data Privacy:

A risk assessment and gap analysis of controls and procedures must be conducted. Based
on this data, formal privacy processes and initiatives must be defined, managed, and
sustained. As with security, privacy controls and protection must an element of the secure
architecture design. Depending on the size of the organization and the scale of operations,
either an individual or a team should be assigned and given responsibility for maintaining
privacy. A member of the security team who is responsible for privacy or a corporate
security compliance team should collaborate with the company legal team to address data
privacy issues and concerns. As with security, a privacy steering committee should also be
created to help make decisions related to data privacy. Typically, the security compliance
team, if one even exists, will not have formalized training on data privacy, which will limit
the ability of the organization to address adequately the data privacy issues they currently
face and will be continually challenged on in the future. The answer is to hire a consultant
in this area, hire a privacy expert, or have one of your existing team members trained
properly. This will ensure that your organization is prepared to meet the data privacy
demands of its customers and regulators.

For example, customer contractual requirements/agreements for data privacy must be

adhered to, accurate inventories of customer data, where it is stored, who can access it, and
how it is used must be known, and, though often overlooked, Request for Interest/Request

Jagdish Bhatta
8
Cloud Computing Chapter- Building Cloud Networks

for Proposal questions regarding privacy must answered accurately. This requires special
skills, training, and experience that do not typically exist within a security team. As
companies move away from a service model under which they do not store customer data
to one under which they do store customer data, the data privacy concerns of customers
increase exponentially. This new service model pushes companies into the cloud
computing space, where many companies do not have sufficient experience in dealing with
customer privacy concerns, permanence of customer data throughout its globally
distributed systems, cross-border data sharing, and compliance with regulatory or lawful
intercept requirements.

Data Security:

The ultimate challenge in cloud computing is data-level security, and sensitive data is the
domain of the enterprise, not the cloud computing provider. Security will need to move to
the data level so that enterprises can be sure their data is protected wherever it goes. For
example, with data-level security, the enterprise can specify that this data is not allowed to
go outside of the United States. It can also force encryption of certain types of data, and
permit only specified users to access the data. It can provide compliance with the Payment
Card Industry Data Security Standard (PCI DSS). True unified end-to-end security in the
cloud will likely requires an ecosystem of partners.

Application Security:

Application security is one of the critical success factors for a world-class SaaS company.
This is where the security features and requirements are defined and application security
test results are reviewed. Application security processes, secure coding guidelines, training,
and testing scripts and tools are typically a collaborative effort between the security and the
development teams. Although product engineering will likely focus on the application
layer, the security design of the application itself, and the infrastructure layers interacting
with the application, the security team should provide the security requirements for the
product development engineers to implement. This should be a collaborative effort
between the security and product development team. External penetration testers are used
for application source code reviews, and attack and penetration tests provide an objective

Jagdish Bhatta
8
Cloud Computing Chapter- Building Cloud Networks

review of the security of the application as well as assurance to customers that attack and
penetration tests are performed regularly. Fragmented and undefined collaboration on
application security can result in lower-quality design, coding efforts, and testing results.

Virtual Machine Security:

In the cloud environment, physical servers are consolidated to multiple virtual machine
instances on virtualized servers. Not only can data center security teams replicate typical
security controls for the data center at large to secure the virtual machines, they can also
advise their customers on how to prepare these machines for migration to a cloud
environment when appropriate.

Firewalls, intrusion detection and prevention, integrity monitoring, and log inspection can
all be deployed as software on virtual machines to increase protection and maintain
compliance integrity of servers and applications as virtual resources move from on-
premises to public cloud environments. By deploying this traditional line of defense to the
virtual machine itself, you can enable critical applications and data to be moved to the
cloud securely. To facilitate the centralized management of a server firewall policy, the
security software loaded onto a virtual machine should include a bidirectional stateful
firewall that enables virtual machine isolation and location awareness, thereby enabling a
tightened policy and the flexibility to move the virtual machine from on-premises to cloud
resources. Integrity monitoring and log inspection software must be applied at the virtual
machine level.

This approach to virtual machine security, which connects the machine back to the mother
ship, has some advantages in that the security software can be put into a single software
agent that provides for consistent control and management throughout the cloud while
integrating seamlessly back into existing security infrastructure investments, providing
economies of scale, deployment, and cost savings for both the service provider and the
enterprise.

Jagdish Bhatta
8