SP-011: Cloud Computing Pattern
Services provided by the Cloud Computing environment are not under direct control and therefore a few control families become more significant. Controls in the CA series increase in importance to ensure oversight and assurance given that the operations are being "outsourced" to another provider. SA-1/4/5 are crucial to ensure that acquisition of services are managed correctly. CP-1 helps ensure a clear understanding of how to respond in the event of interruptions to service delivery. The RA controls are very important to understand the risks associated with the service in a business context, but may be challenging to implement, depending on the supplier and the degree of visibility into their operations.
Cloud computing can be defined as the provision of computing services via the Internet such as
- Applications (Software as a Service or SaaS),
- Infrastructure (IaaS),
- Process Orchestration and Integration.
The cloud model is of great interest to service providers because it likely represents the next great wave of innovation sweeping across the the Internet and presents tremendous business opportunities for those who can successfully define and implement the new paradigm. End users are interested because services are reasonably priced and can be accessed from any browser giving access to the computing environment from any location and making collaboration much easier. Corporate IT departments are interested because the model reduces capital investments, removes constraints on power and space, may deliver much faster development and implementation times, and promises to simplify the management of complex environments.
So it should be a simple decision to scrap the legacy environments and move to the cloud? Well, for many use cases especially private end users and Small to Medium Enterprises (SME's) the risk versus reward is strongly in favor of adopting relevant new Cloud services as they become available. However for large organizations, especially those in regulated sectors the decision is not so simple.
Key control areas:
There are a number of control areas that must be consider carefully before you move computing operations to Cloud Services:
- Contractual agreements- who owns the data, what rights or recourse do you have for security breaches or incidents, what happens when you want to move to another provider?
- Certification and 3rd party audits- is the provider certified e.g. SAS-70 (remember the scope of a SAS-70 will determine how much trust you can place in it), can you request independent audits of the facilities and operations?
- Compliance requirements- do they meet your organisations compliance needs, e.g. Data Privacy, Safe Harbor. Where are the operations located and where would your data reside? Be aware that providers will need to obey law enforcement regulations in their operating locations, and may be obliged to disclose data without your consent to government and law enforcement agencies if requested.
- Availability, reliability and resilience- what happens when the service is not available? What are the points where you need additional resilience for access?
- Backup and recovery- in the event of a physical or logical disaster what are the Recovery Point and Recovery Time Objectives (RPO/RTO) that you will need and they will provide?
- Service levels and Performance- what do they offer and what do you need? What happens if the service is below expectations? Remember a service may be available but have an unacceptable performance level or response times.
- Decommissioning- will data be securely deleted once it is no longer needed? What about the virtual machines or processes you are using? Will fragments reside client side in your browser that you need to be aware of?
A key activity that is shared by the architect, the security manager and the business manager is to jointly agree the controls required. They should:
- Agree on the control baseline applicable to this cloud sourcing activity/service
- Confirm how this translates into the control framework of the cloud provider, because unlike regular supplier contracting it is very improbable that the cloud provider will directly implement the controls specified by the customer. It is more likely that the cloud service provider will refer to his standard (PCI DSS adherent, NIST adherent or ISO adherent) control framework.
- Decide on additional risk mitigating controls.
You will likely need supporting services if your process is comprised of a number of cloud services. Some of the important ones to consider are:
- Security (OpenID, .Net Access Control, PKI), Billing (DevPay),
- Load Monitoring and Testing (Soasta, Hyperic)
- Provisioning and Configuration Mgmt (Rightscale)
This is an evolving area and standards for integration are still emerging. Maintaining a security context across a number of seperate cloud providers can be a real challenge! Especially when you consider that you likely want to use roles to manage authorisation to different functions. There is a good case for maintaining your own directory and federation services that you will use to provide authentication across in-house and cloud services. Where possible it is recommended to abstract the authentication and authorisation services behind industry standard interfaces such as SAML
Cloud services will likely be complex webs and in fact the service you recieve may in fact be provided by another cloud provider (e.g. Box.net use Amazon S3). This became apparent when an Amazon S3 outage affected a number of services that had been built using Amazon for storage. The chain of dependencies may not be obvious, make checks according to the criticality of your requirements. If creating custom code elements the developer constantly needs to consider code refactoring to keep the code base as simple as possible and hence mitigate what is frequently the biggest overall IT Risk, complexity.
- SaaS: Salesforce, Google Docs, Facebook, LinkedIn, Doodle.
- Content: SpringCM, Xythos OnDemand, GoogleBase
- Platform as a Service: Force.com, Google App Engine, Bungee Labs Connect, Etelos, Intiuit Quickbase, LongJump, Apprenda SaasGrid, Oracle Saas Platform, MS Azure
- Data: Amazon S3, Box.net, Google Base, Amazon SimpleDB, Trackvia, Microsoft SSDS.
- Cloud Providers : IBM Blue Cloud, Joyent, GoGrid, SunGrid, Amazon EC2,
- Integration: Boomi, Mule OnDemand, OpSource Connect (OSB), Amazon SQS, Microsoft BizTalk Services
- Orchestration: ProcessMaker, Appian Anywhere, Skemma, Intensil
- Billing, Contract Management: OpSource/LeCayla, Aria, eVapt, Amazon DevPay, Zuora
- Security: OpenID, OAuth, Ping Identity
- Cloud Deployment: rPath, CohesiveFT, VMWare, Xen, Parallels, Bea Weblogic Server VE, 3Tera AppLogic, Elastra Cloud Server
Assumptions: Cloud computing is an evolving area and it is expected that this pattern will be revised within a year to reflect developments. It is likely that for large corporates a prudent and realistic strategy will be to deploy for test and development environments, which give some benefits without the downside of exposing production data sets.
Typical challenges: Trustworthiness of partner-how to establish and track? Lack of certainty on many aspects of controls required. Compliance. Ability to move to other providers. Authentication and authorization across multiple providers and systems.
Indications: Organization who will provide some or all of their computing environment via cloud services. Organization has constraints on existing power or space, desire to reduce capital expenditure, need to provision services rapidly, big variations in computing demand, collaboration with wide range of B2B partners.
Contra-indications: Lack of understanding of your compliance needs or inability to confirm how the supplier will meet your requirements.
Resistance against threats: Untrustworthy supplier, eavesdropping, impersonation, data theft, lack of performance and logical and physical disasters are addressed by this pattern. Consider checking supplier applications for Cross-site scripting (XSS) attacks which can be used to log keystrokes and capture data, and propagate web application worms such as Samy. Feed injection for RSS and Atom can allow an attacker to compromise applications, if feeds are not properly secured.
MS Azure presentation gives useful information on threats and broader considerations when using the cloud:
Hoffs' security blog covers cloud security way along with many other topics:
Google Apps Type II SAS-70:
Cloud Security Blog from Craig Balding is a nice technical and news resource:
The European Network and Information Security Agency (ENISA) have published a useful report on the risks associated with Cloud Computing as of Nov 2009
NIST Definition of Cloud Computing (Security)
All other major vendors have their own literature and approaches, just search on Google!
Relevant technologies that underpin cloud service provision:
- RSS (Really simple syndication) allows publication and subscription to frequently changing content
- Flash/Flex/Air/Silverlight/Gears are Client side programming and runtime execution environments that provide a richer browser experience
- SOAP (Simple Object Access Protocol) is a method for remote proceedure calls using XML over http
- REST (Representational State Transfer) is a simple architectural style that transfers state information via http resource requests.
Related patterns: Identity management.
Classification: Cloud computing.
Reviewer(s): Tobias, Spinoza
AC-01 Access Control Policies and Procedures
AC-02 Account Management
AC-03 Access Enforcement
AC-04 Information Flow Enforcement
AC-13 Supervision And Review -- Access Control
AT-01 Security Awareness And Training Policy And Procedures
AT-02 Security Awareness
AT-03 Security Training
AU-06 Audit Monitoring, Analysis, And Reporting
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
CA-02 Security Assessments
CA-03 Information System Connections
CA-04 Security Certification
CA-06 Security Accreditation
CA-07 Continuous Monitoring
CM-01 Configuration Management Policy And Procedures
CM-02 Baseline Configuration
CM-03 Configuration Change Control
CM-04 Monitoring Configuration Changes
CM-05 Access Restrictions For Change
CP-01 Contingency Planning Policy And Procedures
IA-01 Identification And Authentication Policy And Procedures
IA-02 User Identification And Authentication
IA-03 Device Identification And Authentication
IA-05 Authenticator Management
IR-01 Incident Response Policy And Procedures
PL-01 Security Planning Policy And Procedures
PS-06 Access Agreements
PS-07 Third-Party Personnel Security
RA-03 Risk Assessment
RA-04 Risk Assessment Update
SA-01 System And Services Acquisition Policy And Procedures
SA-02 Allocation Of Resources
SA-03 Life Cycle Support
SA-05 Information System Documentation
SA-09 External Information System Services
SA-10 Developer Configuration Management
SA-11 Developer Security Testing SC-01 System And Communications Protection Policy And Procedures
SC-02 Application Partitioning
SC-03 Security Function Isolation
SC-04 Information Remnance
SC-05 Denial Of Service Protection
SC-06 Resource Priority
SC-07 Boundary Protection
SC-08 Transmission Integrity
SC-09 Transmission Confidentiality
SC-11 Trusted Path
SC-12 Cryptographic Key Establishment And Management
SC-18 Mobile Code
SI-02 Flaw Remediation
SI-03 Malicious Code Protection
SI-04 Information System Monitoring Tools And Techniques