Cloud Computing Security for Tenants

Download Cloud Computing Security for Tenants (PDF), April 2015

Audience

  1. This document is designed to assist a tenant organisation’s cyber security team, cloud architects and business representatives to work together to perform a risk assessment and use cloud services securely.
  2. Assessors validating the security posture of a cloud service, and Cloud Service Providers that want to offer secure cloud services, should refer to the companion document Cloud Computing Security for Cloud Service Providers.

Introduction

  1. Cloud computing, as defined by the US National Institute of Standards and Technology (PDF), offers organisations potential benefits such as improved business outcomes.
  2. Mitigating the risks associated with using cloud services is a responsibility shared between the organisation (referred to as the “tenant”) and the Cloud Service Provider, including their subcontractors (referred to as the “CSP”). However, organisations are ultimately responsible for protecting their data and ensuring its confidentiality, integrity and availability.
  3. Organisations need to perform a risk assessment (PDF) and implement associated mitigations before using cloud services. Risks vary depending on factors such as the sensitivity and criticality of data to be stored or processed, how the cloud service is implemented and managed, how the organisation intends to use the cloud service, and challenges associated with the organisation performing timely incident detection and response. Organisations need to compare these risks against an objective risk assessment of using inhouse computer systems which might: be poorly secured; have inadequate availability; or, be unable to meet modern business requirements.
  4. The scope of this document covers Infrastructure as a Service, Platform as a Service and Software as a Service, provided by a CSP as part of a public cloud, community cloud and, to a lesser extent, a hybrid cloud or outsourced private cloud.
  5. This document focuses on the use of cloud services for storing or processing sensitive data and highly sensitive data. For Australian government agencies and for the purposes of this document: sensitive data is defined as data that is unclassified with a dissemination limiting marker (DLM) such as For Official Use Only (FOUO) or Sensitive: Personal (which aligns with the definition of sensitive information in the Privacy Act 1988); highly sensitive data is defined as data classified as PROTECTED. Additionally, this document can assist with mitigating risks to the availability and integrity of non-sensitive data, defined for Australian government agencies as unclassified publicly releasable data. Mitigations are listed in no particular order of prioritisation.
  6. The Australian Government Information Security Manual (ISM) provides policy guidance for mitigations such as ASD-approved cryptographic controls. The Strategies to Mitigate Targeted Cyber Intrusions provide additional guidance for mitigations such as prompt patching, prompt log analysis, securing computers, as well as network segmentation and segregation.

Further information

  1. Australian government agencies applying the ISM must only use outsourced cloud services listed on ASD Certified Cloud Services List (CCSL). Agencies need to perform accreditation, including reviewing the certification report, to determine whether the residual risk of their proposed use of the cloud service is acceptable. Agencies also need to perform an additional due diligence review of financial, privacy, data ownership, data sovereignty and legal risks.
  2. This document and additional advice is available at Cloud Computing Security.

Contact

Australian government customers with questions regarding this advice should contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.

Cloud Computing Security for Tenants

Risk Mitigation reference number Mitigations
Most effective risk mitigations generally relevant to all types of cloud services: Infrastructure as a Service (IaaS), Platform as a Services (PaaS) and Software as a Service (SaaS)
Overarching failure to maintain the confidentiality, integrity and availability of the tenant’s data 1 - General Use a cloud service that has been assessed1, certified and accredited against the ISM6 at the appropriate classification level, addressing mitigations in the document Cloud Computing Security for Cloud Service Providers2.
2 - General Implement security governance involving senior management directing and coordinating security-related activities including robust change management8, as well as having technically skilled staff in defined security roles.
3 - General Implement and annually test an incident response plan covering data spills, electronic discovery, and how to obtain and analyse evidence e.g. time-synchronised logs, hard disk images, memory snapshots and metadata 9,10.
Tenant’s data compromised in transit by malicious third party 4 - General Use ASD-approved cryptographic controls to protect data in transit between the tenant and the CSP e.g. application layer TLS or IPsec VPN with approved algorithms, key length and key management.
5 - General Use ASD-approved cryptographic controls to protect data at rest on storage media in transit via post/courier between the tenant and the CSP when transferring data as part of on-boarding or off-boarding.
Tenant’s cloud service account credentials compromised by malicious third party 10,11,12,13 6 - General Use a corporately approved and secured computer, multi-factor authentication, a strong passphrase, least access privileges14 and encrypted network traffic to administer (and, if appropriate, access) the cloud service.
7 - General Protect authentication credentials e.g. avoid exposing Application Programming Interface (API) authentication keys placed on insecure computers or in the source code of software that is accessible to unauthorised third parties.
8 - General Obtain and promptly analyse detailed time-synchronised logs and real-time alerts for the tenant’s cloud service accounts used to access, and especially to administer, the cloud service.
Tenant’s data compromised by malicious CSP staff or malicious third party 9 - General Obtain and promptly analyse detailed time-synchronised logs and real-time alerts generated by the cloud service used by the tenant e.g. operating system, web server and application logs.
10 - General Avoid providing the CSP with account credentials (or the ability to authorise access) to sensitive systems outside of the CSP’s cloud such as systems on the tenant’s corporate network.
Tenant’s data compromised by another malicious/compromised tenant 15,16,17,18,19,20,21,22,23,24 11 - General Use multi-tenancy mechanisms provided by the CSP e.g. to separate the tenant’s web application and network traffic from other tenants, use the CSP’s hypervisor virtualisation instead of web server software virtual hosting.
Tenant’s data unavailable due to corruption, deletion11, or CSP terminating the account/service 12 - General Perform up-to-date encrypted backups in a format avoiding CSP lock-in, stored offline at the tenant’s premises or at a second CSP requiring multi-factor authentication to modify/delete data. Annually test the recovery process.
Tenant’s data unavailable or compromised due to CSP bankruptcy or other legal action 13 - General Contractually retain legal ownership of tenant data. Perform a due diligence review of the CSP’s contract and financial viability as part of assessing privacy and legal risks25.
Cloud service unavailable due to tenant’s inadequate network connectivity to the cloud service 14 - General Implement adequately high bandwidth26, low latency, reliable network connectivity between the tenant (including the tenant’s remote users) and the cloud service to meet the tenant’s availability requirements.
Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature 15 - General Use a cloud service that meets the tenant’s availability requirements. Assess the Service Level Agreement penalties, and the number, severity, recency and transparency of the CSP’s scheduled and unscheduled outages.
16 - General Develop and annually test a disaster recovery and business continuity plan to meet the tenant’s availability requirements e.g. where feasible for simple architectures, temporarily use cloud services from an alternative CSP.
Financial consequences of a genuine spike in demand or bandwidth/CPU denial of service 17 - General Manage the cost of a genuine spike in demand or denial of service via contractual spending limits, denial of service mitigation services and judicious use of the CSP’s infrastructure capacity e.g. limits on automated scaling.
Most effective risk mitigations particularly relevant to IaaS
Tenant’s Virtual Machine (VM) compromised by malicious third party10 1 - IaaS Securely configure, harden and maintain VMs with host based security controls7 e.g. firewall, intrusion prevention system, logging, antivirus software, and prompt patching of all software that the tenant is responsible for.
2 - IaaS Use a corporately approved and secured computer to administer VMs requiring access from the tenant’s IP address, encrypted traffic, and a SSH/RDP PKI key pair protected with a strong passphrase.
3 - IaaS Only use VM template images provided by trusted sources, to help avoid the accidental or deliberate presence of malware and backdoor user accounts. Protect the tenant’s VM template images from unauthorised changes.
4 - IaaS Implement network segmentation and segregation27 e.g. n-tier architecture, using host based firewalls and CSP’s network access controls to limit inbound and outbound VM network connectivity to only required ports/protocols.
5 - IaaS Utilise secure programming practices for software developed by the tenant 28,29,30.
Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature 6 - IaaS Architect to meet availability requirements e.g. minimal single points of failure, data replication, automated failover, multiple availability zones, geographically separate data centres and real-time availability monitoring.
Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service 7 - IaaS If high availability is required, implement clustering and load balancing, a Content Delivery Network for public web content, automated scaling with an adequate maximum scale value, and real-time availability monitoring.
Most effective risk mitigations particularly relevant to PaaS
Tenant’s web application compromised by malicious third party 1 - PaaS Securely configure and promptly patch all software that the tenant is responsible for.
2 - PaaS Utilise secure programming practices for software developed by the tenant 28,29,30.
Cloud service unavailable due to CSP error, planned outage, failed hardware or act of nature 3 - PaaS Architect to meet availability requirements e.g. minimal single points of failure, data replication, automated failover, multiple availability zones, geographically separate data centres and real-time availability monitoring.
Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service 4 - PaaS If high availability is required, implement clustering and load balancing, a Content Delivery Network for public web content, automated scaling with an adequate maximum scale value, and real-time availability monitoring.
Most effective risk mitigations particularly relevant to SaaS
Tenant’s data compromised by malicious CSP staff or malicious third party 1 - SaaS Use security controls specific to the cloud service e.g. tokenisation to replace sensitive data with non-sensitive data, or ASD-approved encryption of data (not requiring processing) and avoid exposing the decryption key.
Cloud service unavailable due to genuine spike in demand or bandwidth/CPU denial of service 2 - SaaS If high availability is required, where possible and appropriate, implement additional cloud services providing layered denial of service mitigation, where these cloud services might be provided by third party CSPs.

Footnotes

  1. ASD Information Security Registered Assessors Program (IRAP)
  2. ASD Cloud Computing Security
  3. NIST Special Publication 800-145: NIST Definition of Cloud Computing (PDF)
  4. Attorney-General's Department Information Security Management Guidelines: Risk management of outsourced ICT arrangements (including Cloud) (PDF)
  5. Office of the Australian Information Commissioner Privacy fact sheet 17: Australian Privacy Principles
  6. ASD Australian Government Information Security Manual
  7. ASD Strategies to Mitigate Targeted Cyber Intrusions
  8. SANS Institute InfoSec Handlers Diary Blog: Who Inherits Your IP Address?
  9. Securosis Cloud Forensics 101
  10. BrowserStack Apologies for the downtime, but we're coming back stronger
  11. Dark Reading Code Hosting Service Shuts Down After Cyber Attack
  12. Securosis My $500 Cloud Security Screwup
  13. The Register US giant NBC 'leaks' PRIVATE Amazon keys in Github Glenn gaffe
  14. ASD Restricting Administrative Privileges Explained
  15. CVE Details Vmware Esxi : Security Vulnerabilities
  16. Microsoft Security Bulletin MS13-092: Vulnerability in Hyper-V Could Allow Elevation of Privilege
  17. CVE XEN Security Vulnerabilities
  18. Red Hat qemu-kvm security update
  19. CVE CVE-2013-0311
  20. Docker Docker Container Breakout Proof-of-Concept Exploit
  21. OpenSource.com Are Docker containers really secure?
  22. The Register How secure is Docker? If you're not running version 1.3.2, NOT VERY
  23. The Register Batten down the patches: New vuln found in Docker container tech
  24. SecLists.org Google App Engine Java security sandbox bypasses
  25. Department of Finance Cloud Computing
  26. ZDNet Terra Firma goes with private cloud for virtual desktops
  27. ASD Network Segmentation and Segregation
  28. Microsoft Security Development Lifecycle
  29. SANS Institute Top 25 Most Dangerous Software Errors
  30. Open Web Application Security Project OWASP Proactive Controls