Week 6: Security Concerns and Legal Aspects

Question 1

Drawbacks of cloud security

Answer 1

Significant investments are required

Regardless of the delivery and deployment model, some degree of control is transferred to the cloud provider

Question 2

Overview of Security Concerns - Network Availability

Answer 2

The value of cloud computing can only be realized when network connectivity and bandwidth meet certain minimum needs

Question 3

Overview of Security Concerns - Cloud Provider Viability

Answer 3

–Since cloud providers are relatively new to the business, there are questions about their viability and commitment
–This concern deepens when a provider requires tenants to use proprietary interfaces, thus leading to tenant lock-in

Question 4

Overview of Security Concerns - Disaster Recovery and Business Continuity

Answer 4

Tenants and users require confidence that their operations will continue if the cloud provider’s production environment is subject to a disaster

Question 5

Overview of Security Concerns - Security Incidents

Answer 5

Tenants and users need to be informed by the provider when an incident occurs and may require provider support to respond to audit findings

Question 6

Overview of Security Concerns - Transparency

Answer 6

If providers do not expose details of their internal policy or technology implementation, tenants or users must trust the provider’s security claims

Question 7

Overview of Security Concerns - New Risks, New Vulnerabilities

Answer 7

There is concern that cloud computing brings new risks and vulnerabilities
•The actual exploits will largely be a function of a provider’s implementation
•Although all software, hardware, and networking equipment are subject to vulnerabilities, by applying layered security and well-conceived operational processes, a cloud may be protected from common types of attacks

Question 8

Overview of Security Concerns - Loss of Physical Control

Answer 8

Loss of physical control over data and applications results in a range of concerns
•With public or community clouds, data may not remain in the same system, raising multiple legal concerns
•Data may be comingled in various ways with data belonging to others
•A tenant administrator has limited control scope and accountability
•Tenants need confidence that the provider will offer appropriate controls, while recognizing that they need to lower their expectations for how much control is reasonable within these models

Question 9

Overview of Security Concerns - Legal and Regulatory Compliance

Answer 9

–It may be difficult or unrealistic to utilize public clouds if the data is subject to legal restrictions or regulatory compliance
–Achieving certifications to address the needs of regulated markets may be challenging due to the current stage of general cloud knowledge

Question 10

A virtual machine (VM) is

Answer 10

standard operating system (OS) instance captured in a fully configured and operationally ready system image

Question 11

A hypervisorrepresents itself to the VM as

Answer 11

the underlying hardware, thus supporting the operation of the VM

Question 12

Vendor implementations of virtualization vary, but in general they can be classified as follows

Answer 12

Type 1 or native virtualization is implemented by a hypervisor running directly on bare hardware

Type 2or hosted virtualization has a hypervisor running as an application within a host OS

OS implemented virtualizationis implemented by the OS itself taking the place of the hypervisor

Question 13

Type 1 Virtualization

Answer 13

native virtualization

implemented by a hypervisor running directly on bare hardware

Guest OSs run on top of the hypervisor

Microsoft Hyper-V, Oracle VM, LynxSecure, VMware ESX, and IBM z/VM

Question 14

Type 2 Virtualization

Answer 14

hosted virtualization

has a hypervisor running as an application within a host OS - VMs also run above the hypervisor

Oracle VirtualBox, Parallels, Virtual PC, VMware Fusion, VMware Server, Xen, and XenServer

Question 15

OS implemented virtualization

Answer 15

implemented by the OS itself taking the place of the hypervisor

Solaris Containers, BSDjails, OpenVZ, Linux-VServer, and Parallels VirtuozzoContainers

Question 16

Network-based IDSs do/do not work well with virtual servers

Answer 16

do not

Question 17

The management tools used in a physical server-based deployment will /will not suffice in a highly dynamic virtualized one

Answer 17

will not

Question 18

In a physical server deployment model, provisioning automation is generally

Answer 18

not heavily used

Question 19

In a heavily virtualized environment, whether it be a cloud or not, OS provisioning will rapidly transition toward being

Answer 19

highly automated

Question 20

compromise of hypervisor

Answer 20

it will become primary target if vulnerable, and have broad impact

Question 21

hypervisor protection

Answer 21

network isolation and security monitoring

Question 22

use of local storage in public cloud - Solution?

Answer 22

If during the operation of a VM, data is written to physical media, or to memory, and it is not cleared before those resources are reallocated to the next VM, then there is a potential for information exposure

Solution. Assume control over your use of storage and memory when using a public cloud by clearing data yourself

Question 23

potential for undetected network attacks between VMs co-located on a server - Solution?

Answer 23

Unless the traffic from each VM can be monitored, you cannot detect attacks between VMs
•Solution.Invoke OS-based traffic filtering or firewalling
•Solution. Use segregationto isolate different classes of VMs

Question 24

A hypervisor is ___and ____focused than a general purpose operating system, and ___exposed

Answer 24

smaller more less

Question 25

A hypervisor____undergo frequent change and____run third-party applications

Answer 25

does not does not

Question 26

The guest operating systems, which may be vulnerable, ___ have direct access to the hypervisor

Answer 26

do not

Question 27

The hypervisor is ___ to network traffic with the exception of traffic to/from ____

Answer 27

completely transparent

a dedicated hypervisor management interface

Question 28

Are there any documents attacks against hypervisor?

Answer 28

No

Question 29

The prime advantage of automated provisioning in clouds is

Answer 29

the predictability, and speed of constituting a resource for a customer

Question 30

Other advantages to provisioning in cloud

Answer 30

Enhancing availability by
•provisioning multiple instances of a service
•provisioning a service across multiple data centers

Question 31

The security of provisioning depends on the

Answer 31

ability to protect master images and deploying them intact and in a secure manner

Question 32

Provisioning challenges

Answer 32

Reliance on hypervisors

Need for process isolation at every stage of provisioning

Question 33

There is greater concern for potential compromise of ____than for the security of a hypervisor

Answer 33

a provisioning service

Question 34

There are several concerns about cloud data storage

Answer 34

Since clouds tend to implement storage in a centralized facility, some view storage as a potential target for criminals or hackers

Multitenancy relies on isolation mechanisms (which can fail)

Storage systems are complex hardware and software implementations

There are always questions as to the potential for catastrophic failure that might either destroy or expose the data
There is a possibility that a cloud provider may store data in multiple jurisdictions
•
The potential exists for data to become accessed by foreign governments

Question 35

When data falls under regulatory or compliance restrictions, our choice of cloud deployment (be it private, hybrid, or public) depends on an understanding that the provider is fully compliant - whose obligation?

Answer 35

The tenant or user

Question 36

Although the legal ownership of data will remain with the originating data owner, one potential area for concern with a public cloud is that the cloud provider may

Answer 36

Become responsible for owner and custodian

Question 37

concerns with legally admissible evidence in cloud

Answer 37

• Having a tenant obtain access to a provider’s records may compromise the privacy of other tenants
• It may be difficult to prove that a tenant’s forensics data that is gathered and stored in a public cloud has not been tampered with

Question 38

Some of the technologiesand many of the software components that define cloud computing are still quite new and have yet to gain a high degree of ___for experienced security professionals

Answer 38

trust

Question 39

___and ___between components are two realms where vulnerabilities may arise

Answer 39

Complexity interaction

Question 40

FedRAMP

Answer 40

The U.S. government has launched an effort called FedRAMP
–It is oriented toward enabling the entire process of assuring that cloud instances are appropriate for individual agency applications

Question 41

Two organizations are actively working to enhance cloud security

Answer 41

Cloud Security Alliance

Cloud Computing Interoperability Group

Question 42

Understanding how much risk you can tolerate depends on

Answer 42

assessing your security requirements

how you value your information assets (data, applications, and processes)

Question 43

risk

Answer 43

The possibility that something could happen to damage, destroy, or disclose data or other resources is known as risk

Question 44

Risk management is the process of

Answer 44

• identifying factors that could damage or disclose data
• evaluating those factors in light of data value and countermeasure cost
• implementing cost-effective solutions for mitigating or reducing risk to an acceptable level

Question 45

Exposure Factor (EF) or loss potential

Answer 45

The percentage of loss that an organization would experience if a specific asset were compromised by arealized risk

Question 46

Single Loss Expectancy (SLE)

Answer 46

–
The cost associated with a single realized risk against a specific asset
–
SLE = Asset Value * EF
–
Example: if AV = $200,000 and EF = 45%, then SLE = $90,000

Question 47

Annualized Rate of Occurrence (ARO)

Answer 47

The expected frequency with which a specific threat or risk will occur

Question 48

Annualized Loss Expectancy (ALE)

Answer 48

–
The possible yearly cost of all instances of a specific realized threat against a specific asset
–
ALE = SLE * ARO

Question 49

Steps of Quantitative Risk Analysis

Answer 49

1.Inventory assets, and assign value (AV)
2.For each asset, list all possible threats
–For each asset and threat pair, calculate EF and SLE
3.Perform a threat analysis to calculate the likelihood of each threat being realized within a single year (ARO)
4.Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE)
5.Inventory countermeasures for each threat
–For each countermeasure, calculate the changes to ARO and ALE based on applying that countermeasure
6.Perform cost/benefit analysis, and select the most appropriate response to each threat for each asset

Question 50

Annual Cost of Safeguard (ACS)

Answer 50

Numerous factors are involved in calculating the value of a safeguard
•Cost of purchase, cost of maintenance, etc.

Question 51

Cost/benefit equation

Answer 51

(ALE before safeguard –ALE after safeguard) –ACS

–If the result is negative, the safeguard is not a financially viable choice
–If the result is positive, then that value is the annual savings the organization can gain by deploying the safeguard

Question 52

Qualitative risk analysis is ___

Answer 52

scenario based

Question 53

Qualitative Risk Analysis

Answer 53

A scenariois a written description of a single major threat, focusing on how the threat would affect the organization, the IT infrastructure, or specific assets

The process of performing qualitative risk analysis involves judgment, intuition, and experience

Question 54

Qualitative techniquesfor risk analysis include

Answer 54

–Brainstorming

–Delphi technique
•An anonymous feedback-and response process

–Focus groups

Question 55

management must address each specific risk in one of the these four possible ways

Answer 55

–Reduce/mitigate
•Implementing safeguards

–Assign or transfer
•Outsourcing, purchasing insurance

–Accept
•Written/signed decisionfrom senior management

–Reject
•Ignoring risk is unethicaland invalidates due care

Question 56

Residual risk

Answer 56

The risk that remains once countermeasures are implemented

Question 57

Controls gap

Answer 57

Controls gap = Total risk –Residual risk

Question 58

If concerns are raised about unacceptable risk, we might approach the overall problem by

Answer 58

limiting risk-sensitive processing to a private cloud
•this avoids the introduction of new risk

–using a public cloud for non risk-sensitive data

Question 59

Tenants and cloud customer operating in the U.S., Canada, or the E.U. are subject to numerous regulatory requirements, these include

Answer 59

These include Control Objectives for Information and related Technology (COBIT) and Safe Harbor

These may relate to where the data is stored or transferred to, as well as how well this data confidentiality is protected

Question 60

Some of these laws apply to specific markets, such as the ___for the health care industry

Answer 60

Health Insurance Portability and Accountability Act (HIPAA)

Question 61

The failure to adequately protect data can have serious consequences, including ___

Answer 61

fines by one or more government or industry regulatory bodies

Question 62

For example, the Payment Card Industry (PCI) can impose fines up to ___per month for compliance violations

Answer 62

$100,000

Question 63

The ___ requires a specific individual to be accountable for a company’s information security

Answer 63

Federal Trade Commission

Question 64

Several issues need to be considered at all stages of the contractual process

Answer 64

–Initial due diligence
–Contract negotiation
–Implementation
–Termination (end of term or abnormal)
–Supplier transfer

Question 65

Prior to entering into a contract with a cloud supplier, a company should evaluate its specific___

Answer 65

needs and requirements

For instance, if you are going to collect employee health records in the cloud, then you must ensure that any supplier will meet the guidelines defined by the HIPAA regulations

Question 66

the bulk of cloud services are ___ to involve tailored contracts than traditional hosting or outsourcing contracts

Answer 66

less likely

Question 67

The life cycle of the contractual process does not end when the contract is signed, but has to be continually evaluated throughout the term of the agreement
–The cloud provider needs to be assessed to ensure that____ and ___

Answer 67

The contracted services are in fact being delivered

All policies and procedures that have been contracted for are being followed

Question 68

Contractual Issues: Contract Negotiation

Answer 68

Once you have narrowed your selection of cloud service providers, the actual contract needs to be agreed upon

Question 69

Contractual Issues: Implementation

Answer 69

The life cycle of the contractual process does not end when the contract is signed, but has to be continually evaluated throughout the term of the agreement

Question 70

Contractual Issues: Termination

Answer 70

The end of the contract, whether due to reaching full term or abnormal termination, is the time when data is at most risk

Question 71

Abnormal termination can occur because of

Answer 71

–cloud provider ceasing activities

–breach of contract by one party

Question 72

Contractual Issues: Supplier Transfer

Answer 72

If you transfer services from one supplier to another, either at the termination of the contract or during the contract, you will have to consider the same factors discussed for termination
–Additionally, you will need to define a plan on how to transfer the data securely between vendors

Question 73

Cloud providers may try to ___the control over your data

Answer 73

limit

Question 74

___ need to ensure that services they deploy to the cloud are used according to laws and regulations that are in place for the employees, foreign subsidiaries, or third parties

Answer 74

Global companies

Question 75

The importance of business continuity and disaster recovery needs to be stressed
–Two primary possible scenarios should be considered

Answer 75

• A provider may go out of business

* A provider’s data center may become inoperable

Question 76

A cloud provider may be contacted directly to provide data to a third party, via a ___

Answer 76

court order

The cloud provider needs to know what actions to take in this event
•You may well want to dispute the request
•You will therefore need to be assured that the cloud service provider informs you in a timely manner before it complies with the request