SP-999: PDF and Print Test

Test Pattern

Diagram:

Legend:

Services provided by the Cloud Computing environment are not under direct control and therefore a few control families become more significant. Controls in the CA series increase in importance to ensure oversight and assurance given that the operations are being "outsourced" to another provider. SA-1/4/5 are crucial to ensure that acquisition of services are managed correctly. CP-1 helps ensure a clear understanding of how to respond in the event of interruptions to service delivery. The RA controls are very important to understand the risks associated with the service in a business context, but may be challenging to implement, depending on the supplier and the degree of visibility into their operations.

Description:

Cloud computing can be defined as the provision of computing services via the Internet such as

The cloud model is of great interest to service providers because it likely represents the next great wave of innovation sweeping across the the Internet and presents tremendous business opportunities for those who can successfully define and implement the new paradigm. End users are interested because services are reasonably priced and can be accessed from any browser giving access to the computing environment from any location and making collaboration much easier. Corporate IT departments are interested because the model reduces capital investments, removes constraints on power and space, may deliver much faster development and implementation times, and promises to simplify the management of complex environments.
So it should be a simple decision to scrap the legacy environments and move to the cloud? Well, for many use cases especially private end users and Small to Medium Enterprises (SME's)  the risk versus reward is strongly in favor of adopting relevant new Cloud services as they become available. However for large organizations, especially those in regulated sectors the decision is not so simple.

Key control areas:

There are a number of control areas that must be consider carefully before you move computing operations to Cloud Services:

A key activity that is shared by the architect, the security manager and the business manager is to jointly agree the controls required. They should:
You will likely need supporting services if your process is comprised of a number of cloud services. Some of the important ones to consider are:

This is an evolving area and standards for integration are still emerging. Maintaining a security context across a number of seperate cloud providers can be a real challenge! Especially when you consider that you likely want to use roles to manage authorisation to different functions. There is a good case for maintaining your own directory and federation services that you will use to provide authentication across in-house and cloud services. Where possible it is recommended to abstract the authentication and authorisation services behind industry standard interfaces such as SAML

Cloud services will likely be complex webs and in fact the service you recieve may in fact be provided by another cloud provider (e.g. Box.net use Amazon S3). This became apparent when an Amazon S3 outage affected a number of services that had been built using Amazon for storage. The chain of dependencies may not be obvious, make checks according to the criticality of your requirements. If creating custom code elements the developer constantly needs to consider code refactoring to keep the code base as simple as possible and hence mitigate what is frequently the biggest overall IT Risk, complexity.

Examples:

Applications/SaaS include

Platform service providers include
Infrastructure as a service include
Examples of Integration and Orchestration include

Assumptions: Cloud computing is an evolving area and it is expected that this pattern will be revised within a year to reflect developments. It is likely that for large corporates a prudent and realistic strategy will be to deploy for test and development environments, which give some benefits without the downside of exposing production data sets.

Typical challenges: Trustworthiness of partner-how to establish and track? Lack of certainty on many aspects of controls required. Compliance. Ability to move to other providers. Authentication and authorization across multiple providers and systems.

Indications: Organization who will provide some or all of their computing environment via cloud services. Organization has constraints on existing power or space, desire to reduce capital expenditure, need to provision services rapidly, big variations in computing demand, collaboration with wide range of B2B partners.

Contra-indications: Lack of understanding of your compliance needs or inability to confirm how the supplier will meet your requirements.

Resistance against threats: Untrustworthy supplier, eavesdropping, impersonation, data theft, lack of performance and logical and physical disasters are addressed by this pattern. Consider checking supplier applications for Cross-site scripting (XSS) attacks which can be used to log keystrokes and capture data, and propagate web application worms such as Samy. Feed injection for RSS and Atom can allow an attacker to compromise applications, if feeds are not properly secured.

References:
MS Azure presentation gives useful information on threats and broader considerations when using the cloud:
http://www.slideshare.net/davidcchou/microsoft-cloud-services-architecture-presentation?type=powerpoint
Developer perspective:
http://blog.smashedapples.com/cloud_services/
Hoffs' security blog covers cloud security way along with many other topics:
http://rationalsecurity.typepad.com/
Google Apps Type II SAS-70:
http://googleenterprise.blogspot.com/2008/11/sas-70-type-ii-for-google-apps.html
Cloud Security Blog from Craig Balding is a nice technical and news resource:
http://cloudsecurity.org/
All other major vendors have their own literature and approaches, just search on Google!

Relevant technologies that underpin cloud service provision:

Related patterns: Identity management.

Classification: Cloud computing.

Release: 08.02

Authors: Phaedrus

Reviewer(s): Tobias, Spinoza

Control details
AC-01 Access Control Policies and Procedures
AC-02 Account Management
AC-03 Access Enforcement
AC-04 Information Flow Enforcement
AC-13 Supervision And Review -- Access Control
AT-01 Security Awareness And Training Policy And Procedures
AT-02 Security Awareness
AT-03 Security Training
AU-06 Audit Monitoring, Analysis, And Reporting
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
CA-02 Security Assessments
CA-03 Information System Connections
CA-04 Security Certification
CA-06 Security Accreditation
CA-07 Continuous Monitoring
CM-01 Configuration Management Policy And Procedures
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-04 Monitoring Configuration Changes
CM-05 Access Restrictions For Change
CP-01 Contingency Planning Policy And Procedures
IA-01 Identification And Authentication Policy And Procedures
IA-02 User Identification And Authentication
IA-03 Device Identification And Authentication
IA-05 Authenticator Management
IR-01 Incident Response Policy And Procedures
PL-01 Security Planning Policy And Procedures
PS-06 Access Agreements
PS-07 Third-Party Personnel Security
RA-03 Risk Assessment
RA-04 Risk Assessment Update
SA-01 System And Services Acquisition Policy And Procedures
SA-02 Allocation Of Resources
SA-03 Life Cycle Support
SA-04 Acquisitions
SA-05 Information System Documentation
SA-09 External Information System Services
SA-10 Developer Configuration Management
SA-11 Developer Security Testing SC-01 System And Communications Protection Policy And Procedures
SC-02 Application Partitioning
SC-03 Security Function Isolation
SC-04 Information Remnance
SC-05 Denial Of Service Protection
SC-06 Resource Priority
SC-07 Boundary Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-11 Trusted Path
SC-12 Cryptographic Key Establishment And Management
SC-18 Mobile Code
SI-02 Flaw Remediation
SI-03 Malicious Code Protection
SI-04 Information System Monitoring Tools And Techniques

Print