Cloud Computing Security for Cloud Service Providers

Download Cloud Computing Security for Cloud Service Providers (PDF), April 2015

Audience

  1. This document is designed to assist assessors validating a cloud service’s security posture to provide tenants with increased assurance, rather than tenants relying solely on assertions or contractual commitments from the Cloud Service Provider. This document can also be used by Cloud Service Providers that want to offer secure cloud services.
  2. The tenant organisation’s cyber security team, cloud architects and business representatives should refer to the companion document Cloud Computing Security for Tenants.

Introduction

  1. Cloud computing, as defined by the US National Institute of Standards and Technology (PDF), offers organisations potential benefits such as improved business outcomes.
  2. Mitigating the risks associated with using cloud services is a responsibility shared between the organisation (referred to as the “tenant”) and the Cloud Service Provider, including their subcontractors (referred to as the “CSP”). However, organisations are ultimately responsible for protecting their data and ensuring its confidentiality, integrity and availability.
  3. Organisations need to perform a risk assessment (PDF) and implement associated mitigations before using cloud services. Risks vary depending on factors such as the sensitivity and criticality of data to be stored or processed, how the cloud service is implemented and managed, how the organisation intends to use the cloud service, and challenges associated with the organisation performing timely incident detection and response. Organisations need to compare these risks against an objective risk assessment of using inhouse computer systems which might: be poorly secured; have inadequate availability; or, be unable to meet modern business requirements.
  4. The scope of this document covers Infrastructure as a Service, Platform as a Service and Software as a Service, provided by a CSP as part of a public cloud, community cloud and, to a lesser extent, a hybrid cloud or outsourced private cloud.
  5. This document focuses on the use of cloud services for storing or processing sensitive data and highly sensitive data. For Australian government agencies and for the purposes of this document: sensitive data is defined as data that is unclassified with a dissemination limiting marker (DLM) such as For Official Use Only (FOUO) or Sensitive: Personal (which aligns with the definition of sensitive information in the Privacy Act 1988); highly sensitive data is defined as data classified as PROTECTED. Additionally, this document can assist with mitigating risks to the availability and integrity of non-sensitive data, defined for Australian government agencies as unclassified publicly releasable data. Mitigations are listed in no particular order of prioritisation.
  6. The Australian Government Information Security Manual (ISM) provides policy guidance for mitigations such as ASD-approved cryptographic controls. The Strategies to Mitigate Targeted Cyber Intrusions provide additional guidance for mitigations such as prompt patching, prompt log analysis, securing computers, as well as network segmentation and segregation.

Further information

  1. Australian government agencies applying the ISM must only use outsourced cloud services listed on ASD Certified Cloud Services List (CCSL). Agencies need to perform accreditation, including reviewing the certification report, to determine whether the residual risk of their proposed use of the cloud service is acceptable. Agencies also need to perform an additional due diligence review of financial, privacy, data ownership, data sovereignty and legal risks.
  2. This document and additional advice is available at Cloud Computing Security.

Contact

Australian government customers with questions regarding this advice should contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.

Cloud Computing Security for Cloud Service Providers

Risk Mitigation reference number Mitigations
Most effective risk mitigations generally relevant to all types of cloud services: Infrastructure as a Service (IaaS), Platform as a Services (PaaS) and Software as a Service (SaaS)
Overarching failure to maintain the confidentiality, integrity and availability of the tenant’s data 1 - General Obtain certification1 of the cloud service and underlying infrastructure (explicitly addressing mitigations in this document) against the ISM6 at the appropriate classification level required to handle the tenant’s data.
2 - General Implement security governance involving senior management directing and coordinating security-related activities including robust change management, as well as having technically skilled staff in defined security roles.
3 - General Implement and annually test an incident response plan providing the tenant with emergency contact details, the ability to access forensic evidence otherwise inaccessible to the tenant, and contractual notification of incidents.
Tenant’s data compromised in transit by malicious third party 4 - General Support and use ASD-approved cryptographic controls to protect data in transit between the tenant and the CSP e.g. application layer TLS or IPsec VPN with approved algorithms, key length and key management.
5 - General Use ASD-approved cryptographic controls to protect data in transit between the CSP’s data centres over insecure communication channels such as public Internet infrastructure.
6 - General Support and use ASD-approved cryptographic controls to protect data at rest on storage media in transit via post/courier between the tenant and the CSP when transferring data as part of on-boarding or off-boarding.
Tenant’s cloud service account credentials compromised by malicious third party 8,9,10,11 7 - General Provide Identity and Access Management e.g. multi-factor authentication and account roles with varying privileges12 for the tenant to use and administer the cloud service via the CSP’s website control panel and API.
8 - General Support and use ASD-approved cryptographic controls to protect credentials and administrative activity in transit when the tenant uses and administers the cloud service via the CSP’s website control panel and API.
9 - General Enable the tenant to download detailed time-synchronised logs and obtain real-time alerts generated for the tenant’s cloud service accounts used to access, and especially to administer, the cloud service.
Tenant’s data compromised by malicious CSP staff or malicious third party 10 - General Enable the tenant to download detailed time-synchronised logs and obtain real-time alerts generated by the cloud service used by the tenant e.g. operating system, web server and application logs.
11 - General Disclose the countries and legal jurisdictions where tenant data is (or will be in the coming months) stored, backed up, processed13 and accessed by CSP staff for troubleshooting, remote administration and customer support.
12 - General Perform background checks of CSP staff commensurate with their level of access to systems and data. Maintain security clearances for staff with access to highly sensitive data14.
13 - General Use physically-secure data centres and offices that store tenant data or that can access tenant data15. Verify and record the identity of all staff and visitors. Escort visitors to mitigate them accessing data without authorisation.
14 - General Restrict CSP staff privileged access to systems and data based on their job tasks12. Require re-approval every three months for CSP staff requiring privileged access. Revoke access upon termination of CSP staff employment.
15 - General Promptly analyse logs of CSP staff actions that are logged to a secured and isolated log server. Implement separation of duties by requiring log analysis to be performed by CSP staff who have no other privileges or job roles.
16 - General Perform a due diligence review of suppliers before obtaining software, hardware or services, to assess the potential increase to the CSP’s security risk profile.
17 - General Use ASD-approved cryptographic controls to protect highly sensitive data at rest. Sanitise storage media prior to repair, disposal, and tenant off-boarding with a non-disclosure agreement for data in residual backups.
Tenant’s data compromised by another malicious/compromised tenant 16,17,18,19,20,21,22,23,24,25 18 - General Implement multi-tenancy mechanisms to prevent the tenant’s data being accessed by other tenants. Isolate network traffic, storage, memory and computer processing. Sanitise storage media prior to its reuse.
Tenant’s data unavailable due to corruption, deletion9, or CSP terminating the account/service 19 - General Enable the tenant to perform up-to-date backups in a format that avoids CSP lock-in. If an account or cloud service is terminated, immediately notify the tenant and provide them with at least a month to download their data.
Tenant’s data unavailable or compromised due to CSP bankruptcy or other legal action 20 - General Contractually ensure that the tenant retains legal ownership of their data.
Cloud service unavailable due to CSP’s inadequate network connectivity 21 - General Support adequately high bandwidth, low latency, reliable network connectivity between the tenant and the cloud service to meet the claimed level of availability as required by the tenant.
Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature 22 - General Architect to meet the claimed level of availability as required by the tenant e.g. minimal single points of failure, clustering and load balancing, data replication, automated failover and real-time availability monitoring.
23 - General Develop and annually test a disaster recovery and business continuity plan to meet the claimed level of availability as required by the tenant, e.g. enacted for incidents that cause enduring loss of CSP staff or infrastructure.
Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service 24 - General Implement denial of service mitigations to meet the claimed level of availability as required by the tenant e.g. redundant high bandwidth external and internal network connectivity with traffic throttling and filtering.
25 - General Provide infrastructure capacity and responsive automated scaling to meet the claimed level of availability as required by the tenant.
Financial consequences of a genuine spike in demand or bandwidth/CPU denial of service 26 - General Enable the tenant to manage the cost of a genuine spike in demand or denial of service via contractual spending limits, real-time alerts, and configurable maximum limits for their use of the CSP’s infrastructure capacity.
CSP’s infrastructure compromised by malicious tenant or malicious third party 27 - General Use corporately approved and secured computers, jump servers, dedicated accounts, strong passphrases and multi-factor authentication, to provide customer support and administer cloud services and infrastructure.
28 - General Use ASD-approved cryptographic controls to protect credentials and administrative activity in transit over insecure communication channels between the CSP’s data centre and CSP administrator / customer support staff.
29 - General Implement network segmentation and segregation26 between the Internet, CSP infrastructure used by tenants, the network that the CSP uses to administer cloud services and infrastructure, and the CSP’s corporate LAN.
30 - General Utilise secure programming practices for software developed by the CSP 27,28,29.
31 - General Perform secure configuration, ongoing vulnerability management, prompt patching, annual third party security reviews and penetration testing of cloud services and underlying infrastructure.
32 - General Train all CSP staff, especially administrators, on commencement of employment and annually, to protect tenant data, maintain cloud service availability, and proactively identify security incidents e.g. via prompt log analysis.
Most effective risk mitigations particularly relevant to IaaS
Tenant’s Virtual Machine (VM) compromised by malicious third party8 1 - IaaS Provide network access controls enabling the tenant to implement network segmentation and segregation26, including a network filtering capability to disallow remote administration of their VMs except from their IP address.
2 - IaaS Provide the tenant with securely configured and patched VM template images. Avoid assigning a weak administrative passphrase to newly provisioned VMs.
Most effective risk mitigations particularly relevant to PaaS
Tenant’s data compromised by malicious third party 1 - PaaS Harden and securely configure operating system, web server and platform software. Limit inbound and outbound network connectivity to only required ports/protocols. Promptly perform patching and log analysis.
Most effective risk mitigations particularly relevant to SaaS
Tenant’s data compromised by malicious third party 1 - SaaS Implement security controls specific to the cloud service e.g. for email delivered as a service, provide features including whitelisted content filtering with automated dynamic analysis of emails and email attachments.
2 - SaaS Implement general security controls7 e.g. limited inbound and outbound network connectivity to only required ports/protocols, antivirus software updated daily, intrusion prevention systems and prompt log analysis.

Footnotes

  1. ASD Information Security Registered Assessors Program (IRAP)
  2. ASD Cloud Computing Security
  3. NIST Special Publication 800-145: NIST Definition of Cloud Computing (PDF)
  4. Attorney-General's Department Information Security Management Guidelines: Risk management of outsourced ICT arrangements (including Cloud) (PDF)
  5. Office of the Australian Information Commissioner Privacy fact sheet 17: Australian Privacy Principles
  6. ASD Australian Government Information Security Manual
  7. ASD Strategies to Mitigate Targeted Cyber Intrusions
  8. BrowserStack Apologies for the downtime, but we're coming back stronger
  9. Dark Reading Code Hosting Service Shuts Down After Cyber Attack
  10. Securosis My $500 Cloud Security Screwup
  11. The Register US giant NBC 'leaks' PRIVATE Amazon keys in Github Glenn gaffe
  12. ASD Restricting Administrative Privileges Explained
  13. Department of Defence Defence optometry contract cancelled
  14. Attorney-General's Department Protective Security Policy Framework: Australian Government Personnel Security Core Policy
  15. Attorney-General's Department Protective Security Policy Framework: Australian Government Physical Security Management Core Policy
  16. CVE Details Vmware Esxi : Security Vulnerabilities
  17. Microsoft Security Bulletin MS13-092: Vulnerability in Hyper-V Could Allow Elevation of Privilege
  18. CVE XEN Security Vulnerabilities
  19. Red Hat qemu-kvm security update
  20. CVE CVE-2013-0311
  21. Docker Docker Container Breakout Proof-of-Concept Exploit
  22. OpenSource.com Are Docker containers really secure?
  23. The Register How secure is Docker? If you're not running version 1.3.2, NOT VERY
  24. The Register Batten down the patches: New vuln found in Docker container tech
  25. SecLists.org Google App Engine Java security sandbox bypasses
  26. ASD Network Segmentation and Segregation
  27. Microsoft Security Development Lifecycle
  28. SANS Institute Top 25 Most Dangerous Software Errors
  29. Open Web Application Security Project OWASP Proactive Controls
  30. Department of Finance Cloud Computing