Week 13: Evaluating Cloud Security - An Information Security Framework Flashcards
The framework defines a number of checklists of ___that span the range of activities that together support information security for cloud computing
The goal is to provide an __, which can be used to evaluate the security of a private, community, public, or hybrid cloud
evaluation criteria
organized set of tools
Evaluating the security of a ___ may best be done by managing the evaluation of the two or more cloud instances using one set of checklists per instance
hybrid cloud
The ___and ___of a cloud share responsibility for ensuring that security measures are in place and standards/procedures are followed
owner
operator
The ___ takes a similar approach in detailing security requirements for cloud implementations
Cloud Security Alliance Controls Matrix
A good starting point when you need to measure the presence and effectiveness of cloud security includes having a list of ___
required or recommended security controls
It is not enough that a security control is present
That control also needs to be effective
One can describe this as the ___
degree of trust (or assurance) that can be expected from these controls
Measuring the presence and/or effectiveness of security controls is largely what ___are intended to do
security evaluations
designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider
Cloud Controls Matrix (CCM)
focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency
Consensus Assessments Initiative Questionnaire
presents security guidance for a number of areas in cloud computing: architecture, governance, traditional security, virtualization
Security Guidance for Critical Areas of Focus in Cloud Computing
discusses the major identity management functions as they relate to cloud computing
Guidance for Identity & Access Management
leading the security guidance efforts in Europe, and has produced several publications
European Network and Information Security Agency (ENISA)
A set of assurance criteria addressing the risk of adopting cloud computing
Cloud Computing: Information Assurance Framework
A security policy defines the organization’s overall ___
security goals
Standards
Standards state mandatory actions that support the policy
Guidelines
provide guidance for implementation of standards
___for a cloud is a foundation of operational security
Personnel security
Checklist 1: Policy, Standards, & Guidelines
Has a security policy been clearly documented, approved, and represented to all concerned parties as representing the management’s intent?
Has the security policy had legal, privacy, and other governance review?
Has the security policy been augmented by security standards and/or guidelines?
Has the policy been augmented by a privacy policy?
Are the security and privacy policies, as well as standards and guidelines, consistent with industry standards (such as 27001, CoBIT, etc.)?
Checklist 2: Transparency
Does the CSP provide customers with a copy of the governing policies, standards, and guidelines?
- Are customers notified of changes to these documents?
Does the CSP provide customers visibility into internal and external audits?
Does the CSP provide customers visibility into third party compliance audits?
Does the CSP provide customers visibility into penetration tests?
Does the CSP provide customers visibility into CSP asset management and repurposing of equipment?
Checklist 3: Personnel Security
Are there policies and procedures for:
- Hiring employees with access to or control over cloud components? - Pre-employment checks for personnel with privileged access?
Are personnel security policies consistent across locations?
Is there a security education program, and if so, how extensive is it?
Is personnel security frequently reviewed to determine if employees with access should continue to have access?
Are personnel required to have and maintain security certifications?
Does physical access to the CSP’s facility require background checks?
Checklist 4: Third Party Providers
Are any services or functions provided by a third party?
If any part of a cloud is subcontracted or otherwise outsourced, does the providing party comply with the same policy and standards that the CSP enforces?
If used, are third party providers audited for compliance with the CSPs policies and standards?
Does the CSP security policy (or equivalent) and governance extend to all third party providers?
Business considerations include ___, business ___, and resource ___
legal
continuity
provisioning
Resource provisioning has to do with assuring that the cloud service will be sufficiently resourced as ___
customer demand increases
Checklist 5: Legal
In which jurisdiction is the CSP incorporated?
In which jurisdiction will data be stored?
Does the CSP use third party providers who are not located in the same jurisdiction?
Does the CSP use a customer’s data for secondary purposes?
Does the CSP have a documented procedure for responding to legal requests (such as a subpoena) for customer data?
Is the CSP insured against losses, including remuneration for customer losses due to CSP outages or data exposure?
Checklist 6: Business Continuity
Does the CSP have a formal process or contingency plan that documents and guides business continuity?
What are the service recovery point objective (RPO) and recovery time objective (RTO)?
Is information security integral to recovery and restoration?
How does the CSP communicate a disruption of services to customers?
Is there a secondary site for disaster recovery?
Checklist 7: Resource Provisioning
What controls and procedures are in place to manage resource exhaustion?
Processing oversubscription
Memory or storage exhaustion
Network congestion
Does the CSP limit subscriptions to the service in order to protect SLAs?
Does the CSP provide customers with utilization and capacity planning information?
The ___and ___of an operational cloud depends on the integrity of components that comprise it
integrity
security
___is a primary vector for vulnerabilities and exploits
Software
The ___ between different classes of traffic will drive other security requirements
degree of isolation
___ are generally responsible for the platform software stack
CSPs
Checklist 8: Software Assurance
What controls are in place to maintain integrity of operating systems, applications, firmware updates, configuration files, and other software?
What industry standards, guidelines, or best practices are followed?
What controls or guidelines are used to obtain or download software and configuration files?
What guidelines or procedures are used to maintain software integrity?
Is penetration or vulnerability testing used on each release?
How are identified vulnerabilities remediated?
Checklist 9: Network Security
What controls are in place to manage externally and internally sourced attacks, including distributed denial of service (DDoS)?
How is isolation between VMs managed?
How does the provider manage isolation between customer accessed systems and cloud management systems?
Does the CSP perform periodic penetration testing and/or vulnerability testing against the cloud?
Is vulnerability information made available to customers?
Does the CSP allow customers to perform vulnerability testing against their own VMs?
Checklist 10: Host and VM Security
Are VM images patched before they are provisioned?
- How and how frequently are VM images patched after being provisioned?
Can a customer provide his/her own VM image?
Do VM images include operating IDS or intrusion prevention systems (IPS) that the CSP/tenant has access to?
Do VM images include any form of network, performance, or security instrumentation that the CSP/tenant has access to?
How is isolation ensured between server co-located VMs for different customers?
How is communication implemented between VMs for the same customer?
Checklist 10: Host and VM Security
Are VM images patched before they are provisioned?
- How and how frequently are VM images patched after being provisioned?
Can a customer provide his/her own VM image?
Do VM images include operating IDS or intrusion prevention systems (IPS) that the CSP/tenant has access to?
Do VM images include any form of network, performance, or security instrumentation that the CSP/tenant has access to?
How is isolation ensured between server co-located VMs for different customers?
How is communication implemented between VMs for the same customer?
Checklist 11: PaaS and SaaS Security
How does the CSP isolate multitenant applications?
How does the CSP isolate a user’s or tenant’s data?
How does the CSP identify new security vulnerabilities in applications and within the cloud infrastructure?
Does the CSP provide security as a service features for PaaS?
- Authentication, single sign on, authorization, and transport security
What administrative controls does the CSP provide to a tenant/user?
Do these support defining/enforcing access controls?
Does the CSP provide separate test and production environments for PaaS customers?
Checklist 12: Identity and Access Management
How does the CSP manage accounts with administrator or higher privilege?
Does the CSP enforce privilege separation (for instance, RBAC)?
Does the CSP grant tenants or users administrator privileges, and if so, what are the limits to this?
Does the CSP verify user identity at registration? If so, are there different checks depending on resources to which access is granted?
How are credentials and accounts deprovisioned?
Is multifactor authentication used?
Checklist 13: Key Management & Cryptography
How does the CSP protect keys, and what security controls are in place to this aim?
- Who has access to such keys?
What procedures are in place to manage and recover from the compromise of keys?
Is key revocation performed in a cloud-wide atomic operation?
For what operations (and where) is encryption used?
- Does security policy clearly define what must be encrypted?
Are all encryption mechanisms based on third party tested and evaluated products?
Many concerns around public clouds have to do with the fact that ___ is in a third party’s control
physical security of IT
With a public cloud, a physical breach will affect multiple customers
The goal of incident management and response is to ___
minimize or contain the impact of events
Checklist 14: Data Center Physical Security
What are the requirements for being granted physical access to the CSP’s facility?
- Do non-employees require escort in the facility?
Is the facility divided into zones with distinct access permissions?
Is strong authentication required for physical access?
Is all access monitored and documented?
- Are all entry locations alarmed and monitored? - Is video monitoring used for all common areas of the facility?
How long is video retained?
Is power and networking secured within the facility?
Are environmental systems (lighting, AC, fire detection) implemented to industry standards?
Checklist 15: Data Center Asset Management
Does the CSP maintain a current and complete inventory of all hardware, network, software, and virtual components that comprise the cloud?
Does the CSP automate inventory tracking and management?
Does the CSP maintain a record of all assets that a customer has used or on which a customer has stored data?
Does the CSP support asset categories of different sensitivity levels?
- If so, how are these isolated or separated from each other? - Does the CSP maintain segregation or physical separation of assets at different sensitivity levels?
Checklist 16: Operational Practices
Are operating procedures clearly documented and followed?
Is there a formal change control process?
- Does change control include a means to guide decisions as to what changes require a reassessment of risk?
Are there separate environments for development, testing, and production?
What security controls are used to mitigate malicious code?
What are the backup procedures?
- Where are backups stored, and for how long are they kept?
Will the CSP securely delete all copies of customer data after termination of the customer’s contract?
Checklist 17: Incident Management
What information is captured in audit, system, and network logs?
- How long is it retained, and who has access to it? - What controls are used to protect these logs?
Does the CSP have formal processes to detect, identify, and respond to incidents?
- Are these processes periodically tested to verify that they are effective?
Does the CSP allow customers to implement a host-based IDS in VMs?
Does a CSP accept customer events and incident information into their security monitoring and incident management process?
Does the CSP offer transparency into incident events?
- If so, what kind of information is shared with customers and users? - Does the CSP report statistics on incidents to customers?
The checklists alone have utility to judge the security of a cloud
However, what prospective public cloud customers and owners of a private cloud want to know is
How secure is the implementation?
Is the CSP meeting best practices for security?
How well does the CSP meet security requirements?
How does this service compare with other similar services?
There is a good deal of variation in how controls can be ___ and how they can be ___
implemented
measured
This makes it very difficult to identify metrics for each question
with respect to security checklists, existing approaches for measuring security meet this challenge by
detailing fine grained security controls for specific realms (NIST 800-53)
specifying which of these controls apply to systems operating at different levels of assurance or sensitivity
