Cloud Computing has been growing by leaps and bounds as organizations look for cutting cost. It converts capex on hardware, OS and software to pay-as-you-go model. Computing so far has been too hardware centric with OS loaded first on top of which application is installed. Thus, business applications are controlled by hardware resources available such computing power of CPU, availability of memory, network throughput, storage, configuration & limitation of OS. Cloud computing abstracts and orchestrates hardware to make these resources available on demand and when required. It breaks the nexus between application scalability and hardware availability. No one owns power station to lighten their homes or water reservoir to have showers. On same lines nobody buys apartment to stay for few days in a year. Similarly compute power should be available only when required based on units used. Cloud tangibility and usage is transparent to users who use for email like Gmail, editors like Google Docs & Sheet, productivity tools such as Power Point, Excel through Office 365.
Cloud Computing Characteristics, service & deployment model:
According to NIST Special Publication (SP) 800-145, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud is composed of five essential characteristics, three service models, and four deployment models”
The five essential characteristics are:
- On demand Self-Service:
Customers should be able to provision servers with compute and memory, operating system, network resources, database instances, application or number of users for given application based on service level agreements (SLA). For small business and individual it could be through ubiquitous use of credit card for example Amazon’s AWS S3, EC2
- Broad Network Access:
Customers access the cloud services through variety of devices like mobile, tablet, laptops through thick client or by browser through internet.
- Resource Pooling:
Cloud service provider (CSP) provides common pool of resources which is dynamically allocated to subscriber of its service. Most of the businesses have work load requirements which are cyclical and seasonal in nature. This is one of most advantageous aspect of cloud to pool the resources of service provider as and when required by subscribers on need basis and relinquish it when there is no need under supervision and control of CSP.
- Rapid Elasticity:
The resource required by customers can be scale in or scale out programmatically through API (Application Programming Interface) based on the demand. This is natural corollary to “on demand self-service” characteristic. This provides feeling of unlimited resources to the applications.
- Measured Service:
In traditional data center once the compute, network throughput, storage, OS, databases or applications are procured, irrespective of its usage becomes part of assets in balance sheets. In cloud computing these can be procured on need basis and returned back when not in use.
The resources in cloud are abstracted and orchestrated through virtualization technologies to make it make it agnostic of underlying hardware and even operating system.
Threats & Risks Within Cloud:
In traditional data center, the infrastructure is hosted on premises or data center service provider. Organization may have outsourced the IT services and hosted it at service provider’s premises but policies, procedures, and operations oversight is still under management control.
Let us try to understand what are few of the risks which are unique to cloud due to above mentioned characteristics:
- Data Disclosure: Data in cloud is processed and stored not on dedicated servers or storage which could be assigned to different subscribers. When that server or storage is assigned to another guest, there could be remanence of information leading to data leakage
Jurisdiction Issues: Cloud providers have data centers across various geographies to leverage on utility cost, natural cooling and other factors. Many countries have requirement of data localization which customers of cloud services have to adhere to. Besides in case of criminal or tax investigations, certain electronic evidence (eDiscovery Order) has to be provided to law enforcement agencies. Cloud providers may have challenge in enforcing this order if it is not located in friendly jurisdiction.
Data Repatriation: At end of contract, organization should be able to get the data back in their premises or port it to another cloud provider. This could be challenge as data on hard disk cannot be degaussed or incinerated as it not owned by organization. Overwriting data through random pattern or zeros multiple times may not remove the data as it can be recovered through advanced tools.
Insecure Interfaces & APIs (Application Programming Interfaces): Cloud infrastructure, platform and application are accessed through API which are used by both CSP and its customers. These could be within cloud data center used by CSP for management and outside by its customers to access the cloud resources.
Vendor Lock-In: In traditional data center, vendors try lock in their customers through proprietary protocols, data formats, hardware or interfaces. Similar risks are there in cloud so the customers cannot leave, migrate or transfer their data
Significance of Cloud Security and Privacy
In view of the risks, various standards and framework have been issued to provide guidance on implementation of controls. These are
- ISO Standards
ISO 27017:2015 : Code of practice for information security controls based on ISO 27002 for cloud Services
ISO 27018: 2019: Code of practice for protection of personally identifiable information (PII) in public cloud for data processors
AICPA’s SSAE (Statements on Standards for Attestation Engagements) provides assurance based on trust service criteria of security, confidentiality, processing integrity and availability
Common Criteria (CC) Certification can also be used for cloud services specified as a product. Security Functional (SFR) requirements and their controls through Security Assurance Requirement (SAR) of cloud customer then defines Product Profile (PP) which CSP can demonstrate their compliance for their products also known as Security Target(ST).
Cloud Security Alliance (CSA) STAR: CSA is the pioneer in cloud computing security which has amongst its members industry experts, service providers, consumers, auditors, and government bodies. CSA has certification program of Security, Trust & Assurance Registry (STAR) for CSP. Let us explore this further.
STAR for Cloud Services:
STAR program is 3-tier consisting of self-assessment, 3rd party certification and continuous monitoring as depicted in fig. below
Self-assessment is through Consensus Assessment Initiative Questionnaire (CAIQ) built on Cloud Control Matrix (CCM) 14 domains.
Application & Interface Security: This control domain relates to security of API before granting access to data, assets and systems
Audit Assurance & Compliance Audit Planning: Cloud provider shall adopt control framework and ensure compliance at least annually.
- Business Continuity & Operational Resilience:
- Change Control & Configuration Management
- Data Security & Information Lifecycle Management
- Datacenter Security
- Encryption & Key Management
- Governance & Risk Management
- Human Resources
- Identity & Access Management
- Infrastructure & Virtualization Security
- Interoperability & Portability
- Mobile Security
- Security Incident Management, E-Discovery & Cloud Forensics
- Supply Chain Management, Transparency & Accountablity
- Threat & Vulnerability Management
CCM is meta-framework of cloud-specific controls mapped to standards such as ISO 27001, PCI-DSS, AICPA Trust Services Criteria, regulations such as EU-GDPR, FedRAMP and framework such as CoBIT, Generally Accepted Privacy Principle (GAPP).
Third Party Assessment: This shall be conducted by CPA (Certified Public Accountant) as SOC 2 engagements based on Trust Services Principles (TSC) and CCM to achieve Level 2 STAR attestation. Similarly, ISO 27001: 2013 accreditation in conjunction with CCM will qualify the cloud provider for STAR certification.
Continuous automated assessments: STAR Continuous provides automated assessment of security practices of CCM through Cloud Trust Protocol (CTP) and Cloud Audit. CTP provides mechanism to provide configuration, vulnerabilities, accountability and operational status in transparent manner. Cloud Audit is set of specification which provides common interface for reporting by cloud provider on various control standards and framework. It automates on collection and assertion of operational, security, assessment, audit and assurance through common XML-formatted API.
Cloud technologies and solutions are major enabler for business embarking on journey towards digital transformations which include IoT, Data Analytics, Artificial Intelligence and block chain to name a few. Cyber security in cloud computing is imperative and scale of reporting on controls needs STAR program for more reliable, automated and effective auditing techniques.
- NIST SP800:145 https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf
- Cloud Security Alliance: https://cloudsecurityalliance.org/