a survey on cloud providers security measure

7/21/2019 A Survey on Cloud Providers Security Measure

http://slidepdf.com/reader/full/a-survey-on-cloud-providers-security-measure 1/28

A Survey on Cloud

Provider Security

Measures

Alex Pucher, Stratos Dimopoulos

Abstract

Cloud computing offers a virtually unlimited amount of resources at flexible pay-as-you-go cost.

Many enterprises take advantage of this model already, but security and privacy concerns limit

the further adoption of the technology. Cloud providers acknowledge these additional needs

of regulated enterprises and government agencies and start offering security certifications

and separate tightly controlled “government” cloud infrastructure. This paper is a survey of the

published security mechanisms implemented on the most well-known cloud service products

like Amazon AWS, Google App engine, Microsoft Azure etc. Our goal is to identify the levels of

security they provide. We will analyze different aspects of their systems (certification/standards

adherence, authentication/authorization mechanisms, protection from actual attacks etc),

compare them and extract valuable results regarding the security levels they offer.

1



Introduction

The flexibility, lower costs and scalability that cloud services can provide for small and big

companies, in the private or public sector are more than promising. Nevertheless, the security

and privacy concerns are still big enough to limit an even wider adoption of the cloud services.

According to a recent microsoft research [75] “58 percent of the public and 86 percent of

business leaders are excited about the possibilities of cloud computing ” and on the same

time “More than 90 percent of them are worried about security, availability, and privacy of their

data as it rests in the cloud”. This shows in the most emphatic way that users want to take

advantage of the new technology without sacrificing the privacy of their data. This is why the big

cloud players are trying to find a solution towards to this direction, having realized that this is the

way to attract new customers.

Cloud computing providers offer different services to their customers like Software as a Service

(SaaS), Platform as a Service (PaaS) and Infrastructure as a Service. In the following picture isclear what each of them implies in terms of the services provided to the customer.

The different aspects of Cloud computing.1

Exactly because of the scale and variety of the different services provided and accordingly the

different systems involved, it seems impossible to develop one single security solution that

covers everything. Thus, providers often overexaggerate of the security services that they are

able to provide. It’s not a long time since Microsoft and Google have been accusing each other

of lying about their Google Apps for Government and Microsoft BPOS (Business Productivity

1 The image is from a Max Chand’s presentation, Windows Azure SSP

3



Online Standard Suite) services respectively [69] [70], being certified for use by federal

agencies under the Federal Information Security Management Act (FISMA). This is only the

tip of the iceberg of an ongoing war that is taking place in the new era of cloud services about

which service deals better with the number one concern of cloud users, security and privacy.

Strong privacy and security guarantees is what the market demands and this is why Cloudproviders are investing in building secure systems and be certified with as many security and

privacy certifications as possible. In the next sections we will describe the services provided by

the big players of the cloud market, namely Amazon, Google , Microsoft and Rackspace and

compare them in terms of their certifications, physical security, security features and privacy

they provide. We also provide an appendix to explain the different certifications, standards,

audits and terminology mentioned through the document.

AMAZON AWS

Overview

Amazon AWS is a cloud computing platform offering an impressive amount of cloud services at

all levels and providing customers with great flexibility regarding pricing and resources. Some

of the most well known Amazon cloud services are EC2 (Amazon Elastic Compute Cloud) [20]

which offers pay-as-you-go computing resources in the cloud, S3 (Simple Storage Service) [21]

and EBS (Elastic Block Store) [22], both storage services in the cloud for different purposes and

database services such as RDS (Relational Database Service) [23], DynamoDB [24], SimpleDB

[25] and ElastiCache [26]. It also offers a lot of monitoring services such as CloudSearch [27]

and SWF (Simple Workflow Service) [28].

Certification/ Standards Adherence[2]

Amazon has a very comprehensive and convincing description of the certifications and

standards that it possesses. The feeling you get by reading their website is that they try to

formalize and structure all the security procedures that they follows. A list of all the certifications/

standards and a brief description of what each ensures is provided in the following section. A

more detailed description of each standard can be found on a dedicated section that follows

SAS 70 Type II audits

Amazon states that it has completed in the past multiple SAS 70 type II audits.

4



SOC 1/ SSAE 16/ ISAE 3402

The SOC 1 report audit attests that AWS’ control objectives are appropriately designed and that

the individual controls defined to safeguard customer data are operating effectively. This audit

replaced SAS 70 type II report

SOC 2

Evaluation of controls relevant to: security, availability, processing integrity, confidentiality, and

privacy. Evaluation of the design and operating effectiveness of controls that meet the criteria

for the security principe set by AICPA ( American Institute of Certified Public Accountants) [3].

ISO 27001 certification [4][5]

ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and

best practices for a systematic approach to managing company and customer information that’s

based on periodic risk assessments. In order to achieve the certification, a company must show

it has a systematic and ongoing approach to managing information security risks that affect the

confidentiality, integrity, and availability of company and customer information.

ISO 27001 certification Includes all AWS data centers in all regions worldwide

PCI DSS Level 1 service provider (Payment Card Industry & Data Security

Standard) [3]

Merchants and other service providers can now run their applications on Amazon’s PCI-

compliant technology infrastructure for storing, processing, and transmitting credit card

information in the cloud.

PCI Validated Services include:

● Amazon Elastic Compute Cloud (EC2)

● Amazon Simple Storage Service (S3)

● Amazon Elastic Block Storage (EBS)

● Amazon Virtual Private Cloud (VPC)

● Amazon Relational Database Service (RDS)

● Amazon Elastic Load Balancing (ELB)● Amazon Identity and Access Management (IAM)

● Underlying physical infrastructure

● AWS Management Environment.

5



ITAR (International Traffic in Arms Regulations)

This regulation is supported by the AWS GovCloud[13]. More information about the regulation

can be found on the Appendix. This regulation basically restricts access to protected data to US

persons and location of the data to US ground.

FIPS 140-2

Another regulation that it is supported by the AWS GovCloud[13]. It is a US government

security standard and it specifies the security requirements for cryptographic modules protecting

sensitive information. Amazon’s Virtual Private Cloud VPN endpoints and SSL terminations in

AWS GovCloud (US) operate using FIPS 140-2 validated hardware

Safe Harbor

Amazon.com including Amazon Web Services LLC are participants in the Safe Harbor program

developed by the U.S. Department of commerce and the European Union.

Public sector certifications

Amazon holds a FISMA Moderate certification. This is an authorization from the U.S. General

Services Administration to operate at the FISMA Moderate level. More details can be found

on the appendix. Amazon has received a three-year FISMA Moderate authorization for IaaS

(Infrastructure as a Service) from the General Services Administration.

FISMA requires AWS to implement and operate an extensive set of security configurations and

controls. This includes documenting the management, operational, and technical processesused to secure the physical and virtual infrastructure, as well as the third-party audit of the

established processes and controls.

Guidelines/ Structure for secure practices

Apart from the certifications that Amazon holds for its services it also provides to its customers

a platform on which they can build to apply for other certifications specific to the application they

are using. Healthcare applications compliant with HIPAAS Security and Privacy rules have been

build with AWS [6].

Moreover, Amazon publishes a set of set practices to have its users aware of what Amazonprovides for security and also what they should follow to enhance security when they are

using AWS. In particular AWS has completed the CSA Consensus Assessments Initiative

Questionare with which provides to its customers a reference to the security existing in the AWS

IaaS offerings. Also, AWS commissioned an independent assessment of AWS’s compliance

with the MPAA best practices and has achieved the highest maturity rating possible [6].

6



Physical Security

Only those within Amazon who have a legitimate business need to have such information know

the actual location of these data centers, and the data centers themselves are secured with avariety of physical controls to prevent unauthorized access.

Security Features / Services Security [1]

Amazon provides a number of features that are commonly used in any server environment to

ensure security. We didn’t found anything new or specialized here, but the features mentioned

seem to be enough to provide a high level of security. Furthermore, seems to pay attention even

to very simple features like the reporting of possible vulnerabilities by its customers. As you

will see in the next section even this is done in a very well defined way. Nevertheless, many of

them are configuration options provided to the customer and for this reason is the customer’s

responsibility to use them in the proper way. An extensive list of the features provided in the

different levels of Amazon’s platform follows.

Strong cryptographic methods

Amazon is using strong cryptographic methods (names of the methods are not provided) to

authenticate users, HTTPS support and web service interfaces to configure firewalls and other

security features.

Configurable web service interfaces

Configurable web service interfaces are provided to allow the customer to configure firewall

access and network access to their databases. For instance, Amazon RDS allows customers to

run their database instances on Amazon’s virtual private cloud.

Security Credentials

There are three types of credentials used [8]:

● Access credentials (Access keys, X.509 certificates and key pairs)

● Sign-in credentials (email address, password, AWS multi-factor authenticated device)

○ See below for AWS multi-factor authenticated device details.

● Account identifiers (account ID and canonical user ID)

7



AWS Identity and Access Management (IAM)

AWS IAM allows for multiple users creation and permission management. It also eliminates the

need to share passwords or access keys. More details can be found on the Privacy section that

follows. [9]

AWS Multi-Factor Authentication (AWS MFA)

AWS multi-factor authenticated device is provided from a third-party provider, Gevalto and

customers can purchase it to increase their security. Then each time they authenticate need

to provide both AWS email ID and password (1st factor) and the code from the authentication

device (2nd factor)

Key Rotation

Enables access keys and certificates rotation without impact on the applications availability (ie:

supports multiple concurrent access keys and certificates)

Vulnerability Reporting / Penetration Testing Requests

Amazon provides reporting processes for security vulnerabilities [10] and penetration testing

[11]. Despite the fact that this sounds like a very simple task, Amazon puts some sophistication

on this by using the Common Vulnerability Scoring System (CVSS) [35] to evaluate potential

reported vulnerabilities and prioritize the most important ones.

Regarding penetration testing, Amazon give its customers the ability to apply penetration testing

to their services and ofcourse this has to be done after Amazon’s approve in order to distinguishfrom a regular attack.

Security Bulletins

This is a service provided by Amazon in order to notify customers about security and privacy

events with AWS services. [36]

Signed PGP Public Key

As simple as it sounds. This is a PGP key for the customers that wish to use it for added

security. [12]

Network Security

The following are a list of how Amazon deals with potential network vulnerabilities and attacks.

8



● Distributed Denial Of Service (DDoS) Attacks

○ Proprietary DDoS mitigation techniques are used.

○ AWS’s networks are multi-homed across a number of providers to achieve

Internet access diversity.

● Man In the Middle (MITM) Attacks

○ All of the AWS APIs are available via SSL-protected endpoints which provideserver authentication.

● IP Spoofing

○ Amazon EC2 instances cannot send spoofed network traffic. The AWS-

controlled, host-based firewall infrastructure will not permit an instance to send

traffic with a source IP or MAC address other than its own.

● Port Scanning

○ Its a violation of its policy and can be reported. When it is detected it is stopped

and blocked.

○ Its up to the customer to take appropriate security measures to protect listening

services that may be essential to their application from being discovered by an

unauthorized port scan.

● Packet sniffing by other tenants

○ Even two virtual instances that are owned by the same customer located on the

same physical host cannot listen to each other’s traffic.

○ Attacks such as ARP cache poisoning do not work within Amazon EC2 and

Amazon VPC. While Amazon EC2 does provide ample protection against one

customer inadvertently or maliciously attempting to view another’s data, as a

standard practice customers should encrypt sensitive traffic.

Data Privacy [1]

Data access

Amazons supports several mechanisms to configure who, when and where can access the

data. For example Amazon S3, provides 4 different access mechanisms [30].

○ Identity and Access Management (IAM) policies [34]

■ IAM enables the creation and management of multiple users under a single

account and their corresponding roles. Moreover there is a capability for identity

federation between customers corporate directory and AWS services, enabling

users to use their corporate identities to grant access to AWS services. To allow

the creation of “federate users” Amazon allows the creation of temporary securitycredentials, comprised of short-lived access keys and session tokens associated

with these keys. The permission of these temporary credentials are at most equal

to the IAM user who created them, but they can also be restricted in more limited

permissions.

○ Access Control Lists (ACLs)

9



■ Add/ remove permission to individual objects

○ Bucket policies

■ Same as above but for permissions across some or all of the objects within a

singly bucket

○ Query string authentication

■ Capability to share Amazon S3 objects through URLs that are valid for apredefined time.

VPC (Amazon Virtual Private Cloud)

Amazon VPC [32] let users use a private and isolated portion of the cloud where they can

configure their IP addresses range, create subnets, configure routing tables and gateways

and lunch in this environment various AWS services. In RDS for example users can isolate

their database instances by specifying the IP range they wish to use and connecting to their

infrastructure through encrypted IPsec VPN. This is a service currently supported by all the

RDS DB engines. Another example of the usage of VPC is that users could configure their

S3 data to be accessible only through instances in their VPC. For even better isolation they

can run Amazon’s EC2 dedicated instances [33] inside the VPC, which ensures isolation on

the hardware level by running hardware dedicated to a single customer. Customers have the

flexibility to mix both dedicated or not dedicated instances inside one VPS or use them in

separate VPCs.

AWS GovCloud(US)

AWS GovCloud [13] is the top level of isolation that Amazon provides. It allows US governmentagencies and customers to move more sensitive workloads. It is a separate region (GovCloud

Region) physically and logically accessible by U.S. persons only. Appropriate workloads for the

GovCloud are:

○ Controlled Unclassified Information (CUI) including ITAR

○ Government oriented publically available data

Amazon GovCloud adheres to ITAR and supports FIPS 140-2.

Data Encryption

Amazon allows for encryption of personal and business data. On S3 for example all datauploaded or downloaded is via SSL encrypted endpoints and using the HTTPS protocol. It also

provides a client encryption library[29] for those prefer to manage their own encryption keys (in

this case the keys are encrypted on the client site) and Amazon SSE (Server Side Encryption)

for those who prefer to let Amazon S3 managing their keys[31].

10



History Logs

Amazon allows customers to have the option to enable logs in some of their services (for

example Amazon S3 buckets), a functionality that is helpful to track the requests made and

probably used for auditing purposes.

Rackspace

Overview

Rackspace provides a great variety of cloud services including IaaS and SaaS. Provides to its

clients servers on demand and a RESTful API (OpenStack API [16]) to launch and control thecloud servers. It also provides cloud hosting services for websites and files (in a partnership

with Akamai [18]), block storage, container-based virtualization and redundant storage for high

performance MySQL database on the cloud, backup services, load balancing, monitoring, free

DNS management and a private cloud for increased privacy. Moreover Rackspace has an open

approach as it is powered by OpenStack[16] the cloud’s open source operating system and it

also offers hybrid services, combining both cloud and dedicated servers.

Certification/ Standards Adherence [14]

The certifications that Rackspace possesses are not presented in a structured way and it

is also confusing whether they actually possess some of the standards or they agree that

these standards should be met by a cloud vector for potential clients that need them [74].

Certifications that Rackspace holds are ISO 27001/2 based policies that is reviewed at least

annually and possible PCI/DSS and HIPAA-BAA. It is also not clear if they are performing SAS

70 type II and SOC 1 type 1 & 2 audit reports. Moreover there are some general arguments

regarding secure document and media destruction, independent reviews performed by

third parties, continuous monitoring and improvement of the security program and security

organization of the company.

Physical Security

The following is a list of the practices that Rackspace follows to ensure the physical security of

its services:

11



● Data center access is limited to only authorized personnel

● Badges and biometric scanning for controlled data center access

● Security camera monitoring at all data center locations

● Access and video surveillance log retention

● 24x7x365 onsite staff provides additional protection against unauthorized entry

● Unmarked facilities to help maintain low profile● Physical security audited by independent firms annually

Security Features / Services Security

Again, Rackspace fails to present its security features in a unified way. Instead there are

security measures and protocols on the descriptions of the various services that it provides.

Network Security

Rackspace incorporates software defined networking and claims that this way customers areable to create completely isolated networks.

Encryption

AES (Advanced Encryption Standard) is used with 256 bit key for the backup service [17]

Private Containers

Private Containers is a feature provided for the RackSpace Files service and ensures that all

the traffic between the customers application and Cloud Files uses SSL to establish a secure

and encrypted channel.

Modified Medium Trust

RackSpace cloud window environment operates in modified medium trust (instead of full trust)

to protect the security, scalability and performance of the users, by eliminating the potential

for application interference. Applications, under medium trust have no registry access and no

access to the Windows event log. Also both network and file system access is limited.

Privacy

Rackspace offers the “private cloud” [15] to increase privacy. A server environment based on

OpenStack, downloadable ISO package, that can be hosted on the client’s data center, on

rackspace or on a third party’s data center and can be managed with or without the support of

Rackspace.

12



Google Cloud

Overview

Google’s cloud platform includes the App engine, compute engine, cloud storage, BigQuery,

Cloud SQL, the prediction and the translation APIs. Google employs a multi-layered security

strategy. A distinguished more secure service is the Google Apps for government, for which

we have dedicated a separate section [57]. Google provides information about 13 datacenter

locations [41] and an uptime guarantee of 99.9%. (without specific time range)

Certification/ Standards Adherence

Google doesn’t refer to the different standards that it uses to ensure security of its cloud

services. We assume that this is happening because these standards are common with the

other Google services and for this reason they are omitted. Recently they referred to their

blog[] that they completed a SSAE 16 / ISAE 3402 SOC 2 Type II report which covered Apps,

AppsVault, Apps Script, App Engine and the Cloud Storage. Also, there is a reference to the

standards followed by the Google apps for government that support greater security and privacy

than the rest of the cloud services provided by Google.

Google Apps for government

● FISMA Moderate (from Dept of Interior)

● HIPAA (Webmail). A standard for protecting health information.

● PCI DSS (Webmail)

● SSAE 16 and ISAE 3402 Type II audit [40]

● SAS70

● Safe Harbor [73]

● Two factor authentication: Google apps for government includes an extra layer of

security with two factor authentication which reduces the danger of having data stealed.

Physical Security

Google claims that only select Google employees have access to the datacenter facilities

and this access is controlled and audited. Heat-sensitive cameras, biometric verification,

authentication mechanisms and permit entry to authorised personnel are some of the measures

Google takes to ensure the security of its data centers.

13

http://www.ssae-16.com/ssae-16-type-ii/












Security Features / Services SecurityGoogle provides a great number of security features and policies to prevent threats and

formalize infrastructure management procedures. As you can see there is no significant

difference between the protection of cloud services and any other traditional system. Everything

that would make sense for the protection of a server or data center is also applied in the Googlecloud.

Malware Protection

Google uses manual and automated scans to find websites that can be the source of malware

or phishing[58]. The blacklists of these scans have been incorporated in many google products

on servers and workstations. Apart from this general statement, Google doesn’t specify how this

is adapted to its cloud products.

Monitoring

Network analysis is supplemented by automated analysis of system logs to help determine

whether an unknown threat exists for Google systems.

Vulnerability Management

For vulnerability management many commercial and proprietary products are used to detect

and manage vulnerabilities in a timely manner. Automated and manual penetration tests, quality

assurance processes, software security reviews and external audits are some of the security

measures used. Incident Management

Incident Management

This is a 24/7 service provided by the Google security group to ensure that any security related

event is treated with priority according to its severity and as fast as possible.

Network Security

For network security Google does the following:

● Use and management of firewalls and ACL technology

● Restricting access of network devices only to authorized personnel

● External traffic is routed through custom front-end servers. This helps detect and stop

malicious requests.

● Improved monitoring using internal aggregation points

● Examination of logs to exploit programming errors

Transport Layer Security

Google uses HTTPS to secure browser connections.

14



Operating System Security

Google uses a modified version of Linux that supports only the necessary services for the

Google products to run.

Privacy

There are is not something specific referred to privacy protection but for the fact that in the

government cloud user data is not scanned and used for displaying ad messages. Users are in

control of who and how they share their data.

Microsoft Azure

Overview

Microsoft Azure is a cloud offering in the IaaS, PaaS and SaaS space. It includes traditional

IaaS Virtual Machine hosting, BLOB storage and software-defined networking and extends to

the PaaS area with hosted web services, database instances and batch-processing frameworks.

Additionally, cross-cutting concerns such as user authentication, reliable messaging and

content-delivery are addressed with specific services. The Azure service is typically accessed

via a REST-API and web interfaces and delivered from 4 datacenters in the US, 2 in Europe

and 2 in Asia.


Microsoft makes publicly available a summary of their security measures and policies. However,

specifics on their Information Security Policy may only be obtained under a NDA agreement.

Additionally, Microsoft provides the “Windows Azure Trust Center” web portal which breaks

down certifications per service. For the IaaS offerings Microsoft Azure claims adherence to the

ISO 270001 and HIPAA standard and performs annual SAS70 audits. A SOC 1 type 2 audit for

networking, storage and hosted web services is available under NDA.

15



Physical Security

Microsoft emphasizes the compliance with ISO 270001 in connection with physical security

measures taken. Explicitly, the following procedures are mentioned:

● Access control at all facilities

● Personal identification with badges or biometrics required at all times

● Regular audits of access lists

● Video surveillance

● Two factor authentication for physical access

● Non-advertized datacenter locations

● Additionally locked perimeters inside data centers

● Off-site equipment and personnel must be authorized by dedicated staff.


General

Microsoft Azure integrates Microsoft’s Security Development Lifecycle (SDL) guidelines [60].

Microsoft SDL is a software development security assurance process grouped in seven different

phases. These are training, requirements, design, implementation, verification, release andresponse.

Operations Personnel

Other security precautions are background check and security training for personnel, non-

disclosure agreements and the least possible privilege enough for the personnel to carry

16



out their duties. Moreover there are multiple levels of monitoring, logging and reporting and

combination of controls to detect malicious activity.

Network administration

Azure’s internal network is isolated with strong filtering from external traffic. Administration

of the network devices is applied only by authorized personnel. An RPC-accessible API is

provided that accepts commands from SMAPI (Storage Management API). Detailed information

regarding the encryption that can be used while building a product with .net on Windows Azure

can be found on [61]

Privacy

Microsoft privacy is based in a number of principles as described on the privacy in the cloud

white paper [63]. These principles include:

● Accountability in handling personal information

● Notice to individuals about the data collection procedures

● Collection of individuals’ data only for the reasons provided in the privacy notice

● Choice and consent of individuals regarding the collection and use of personal

information

● Use and retention of personal information in accordance with the privacy notice

● Disclosure or onward transfer to vendors and partners in a security enhanced manner

and only for the purposes provided in the privacy notice

● Quality assurance to ensure that personal information is accurate and relevant to the

purpose for which it was collected

● Access to individuals to inquire about, view or update their personal data● Enhanced security to help protect against unauthorized access

● Monitoring and enforcement of compliance with the privacy policies.

In general the biggest difference between traditional IT services and the cloud is that in the

later case the customer organization are those who control and set policies related to how its

customers or employees data is handled in the cloud. Microsoft has developed data handling

processes in its agreements with business and government customers.

The information provided on Windows Azure Security Overview regarding privacy is limited to

the statement “Windows Azure Storage is designed to ensure customer deleted data is faithfully

and consistently erased.” As described in the Windows Azure Privacy Statement [62] microsoft

retains the right to replicate data between different sub-regions, if customers haven’t disable this

feature, but in any case data will not be transferred outside the major geographic region.

Last, Microsoft supports efforts to enable the development of globally consistent policy

frameworks that both support privacy protection and enable data flow from data centers located

in countries with divergent rules and laws.

17



Microsoft Office 365

Overview

Under the label of Office 365 Microsoft offers a range of subscription-based SaaS services

for collaboration and productivity tools. These include hosted instances of their collaboration

products Exchange and SharePoint, online tools for text processing, spreadsheets and

presentations and offer tight integration with their desktop-based Office suite.

The service is offered at different levels of security to fulfill additional requirements of FISMA,

ITAR or EU Model Clauses. The name for the FISMA compliant services is BPOS-Federal.


Microsoft Office 365 is not differentiated much from the other cloud products of Microsoft, as

you can see in the following list of certifications.

● ISO 270001

● Safe Harbor

● EU Model Clauses

● HIPAA-BAA

● FISMA (by Broadcasting Board of Governors)

● ITAR (by States Department of Agriculture)

Physical SecurityThe physical security model offered for Microsoft Office 365 is equivalent to Microsoft Azure and

the other cloud products of Microsoft.


Microsoft Office 365 doesn’t differ significantly to the other Microsoft cloud products regarding

the security features that are being offered. These features include malware protection for

servers and customer data, anti-spam service, intrusion detection, microsoft online IDs and

Federated IDs as options for user authentication. Moreover, Microsoft performs regular audits

and proactive monitoring to ensure the security of their systems and predict vulnerabilitiesrespectively. All connections established to Office 365 are encrypted using 128-bit SSL/TLS

encryption. Encryption is provided on several layers, such as Transport Layer, encryption

between clients and Exchange Online (SSL), Instant Messaging and IM federation. Also there is

support for S/MIME, Active Directory Rights Management Services or PGP. Office 365 currently

does not encrypt data at rest, however, the customer may do so through IRM or RMS.

18



Privacy

Office 365 provides an extensive collection of documentation on data privacy. Some information

is accessible through the Microsoft Trust Center [37] web portal and the Office 365 privacy

whitepaper [38]. The details of the Information Security Policy are only available under NDA.[39] Specific privacy features are presented in the following list.

● Office 365 abides to privacy-relevant standards such as EU Model clauses and HIPAA

● Microsoft guarantees not to use customer data for advertising or run data analytics

without the customer’s consent. This may be an integral part of the license agreement

however.

● An auditable and formal process for access of customer data by Microsoft staff is

provided.

● Customers can define geographic boundaries for data storage and processing.

Notifications are provided in case changes are required or violations are observed.

● The service allows separation of data between the customer and Microsoft consumer

services. There isn’t any mention of specific mechanisms however.● Finally, there is a private cloud offering of Office 365 in cooperation with VMWare

19



Summary

On the following table you can see a summary of the different certifications or audits that each

provider is compliant to (Fields with a question mark indicate that is not clear whether the

provider has the certification):

Amazon AWS Google Cloud MicrosoftCloud

RackSpace

SAS 70 Type II Audits

SOC 1 Type 1 &2 reports

SOC 2

SSAE 16standard

ISAE 3402standard

ISO 27001certification

PCI/ DSS

HIPAA-BAA

CVSS

Safe Harbor

FISMA

ITAR

FIPS

20



Note that as long as the provider has even one service that complies with a certification we

consider this as the whole cloud of this provider complies with the certification. Of course this is

not true and was actually a reason of legal fights between the different providers but we do this

just for comparison reasons in the high level. For example Microsoft cloud as presented in the

following table includes both Azure and Office 365 and when a certification exists this doesn’t

mean that it is applied for both services. Similarly, there are Google Cloud services like gmail forexample that are not ITAR compliant, since gmail servers rely in all over the world and not just

in the US, but we consider Google Cloud to possess these certifications.

Regarding the physical security more or less all providers offer the same level of security.

Furthermore, the physical security provided doesn’t differ from the security need for other

traditional data centers.

The security features provided by the major cloud providers differ more in the way they

presented and advertized and less in their actual value. Maybe the details could make the

difference, but details is something that the providers reveal only under a MDA agreement.

Overall, we think that the security features provided are sufficient to protect the systems

involved in a cloud platform. After all, there is no significant difference between the protection of

cloud services and any other traditional system.

When it comes to privacy, Amazon, Microsoft and Google offer solutions with a very high level

of privacy, enough to be used from government agencies and the army. Google misses some of

the certifications needed for this purpose or at least it doesn’t publish them online. Rackspace

doesn’t provide solutions for the Government and accordingly it doesn’t possess the required

certifications.

Conclusion

In this survey we tried to dig into the details of the security and privacy offerings of four big cloud

providers. The security measures provided in the cloud do not differ significantly compared to

any other large-scale, complex system and this is why all the providers we examined in this

survey are certified to provide most of the required security features. An area that they differ

is this of the “government” sector, for which special and more strict guarantees for privacy

and security is required. Another point that we would like to mention is the difficulties we

encountered to gather and verify this information. In the best case, some of the providers don’t

advertise this information in a compact way. Even worse, sometimes they give the impressionthat they possess a particular certification for all their services, while in fact this certification

concerns only a part of them. Overall, though we think that there are important steps already

taken in the correct way and that the competition and the maturity of the services as the time

pass will help to settle down most of the concerns that users have regarding the privacy of their

data.

21



https://aws.amazon.com/security/security-bulletins/














http://www.first.org/cvss









http://aws.amazon.com/iam/










http://aws.amazon.com/dedicated-instances/












http://aws.amazon.com/vpc/










http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingClientSideEncryption.html

















http://docs.amazonwebservices.com/AmazonS3/latest/dev/UsingAuthAccess.html

















http://docs.amazonwebservices.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3EncryptionClient.html



























http://aws.amazon.com/swf/










http://aws.amazon.com/cloudsearch/










http://aws.amazon.com/elasticache/










http://aws.amazon.com/simpledb/










http://aws.amazon.com/dynamodb/










http://aws.amazon.com/rds/










http://aws.amazon.com/ebs/










http://aws.amazon.com/s3/










http://aws.amazon.com/ec2/










http://www.rackspace.com/knowledge_center/article/modified-medium-trust-on-cloud-sites

























http://www.akamai.com/








http://www.rackspace.com/cloud/public/backup/














http://www.openstack.org/








http://www.rackspace.com/cloud/private/












http://bd905956a42f6ed96c17-a6046798c661ed27e3d4fdfd1b3c5e5a.r62.cf1.rackcdn.com/whitepapers/security/Rackspace_Security.pdf

















































http://aws.amazon.com/govcloud-us/












https://aws.amazon.com/security/aws-pgp-public-key/


















http://aws.amazon.com/security/penetration-testing/














http://aws.amazon.com/security/vulnerability-reporting/
























https://portal.aws.amazon.com/gp/aws/securityCredentials















http://www.fightfilmtheft.org/facility-security-program.html















http://www.hhs.gov/ocr/privacy/












http://aws.amazon.com/security/iso-27001-certification-faqs/
















http://www.27000.org/iso-27001.htm









http://aws.amazon.com/security/pci-dss-level-1-compliance-faqs/




















http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf





















http://broadcast.rackspace.com/downloads/pdfs/RackspaceSAS70.pdf















http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/04/11/google-s-misleading-security-claims-to-the-government-raise-serious-questions.aspx











































http://gigaom.com/cloud/why-microsoft-and-google-are-fighting-dirty-over-uncle-sam/




























http://www.privacytrust.org/guidance/safe_harbor.html















http://searchhealthit.techtarget.com/definition/HIPAA-business-associate-agreement-BAA



















http://searchdatamanagement.techtarget.com/definition/HIPAA











http://tinyurl.com/cj4x4pt











http://www.wilmerhale.com/publications/whPubsDetail.aspx?publication=9532
















http://go.microsoft.com/?linkid=9694913&clcid=0x409














http://www.windowsazure.com/en-us/support/legal/privacy-statement/




















http://msdn.microsoft.com/en-us/magazine/ee291586.aspx

















http://msdn.microsoft.com/en-us/library/windows/desktop/84aed186-1d75-4366-8e61-8d258746bopq.aspx






























http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/37672.pdf































http://googlewebmastercentral.blogspot.com/2008/10/malware-we-dont-need-no-stinking.html





















https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf



















http://en.wikipedia.org/wiki/CVSS




















http://en.wikipedia.org/wiki/FIPS_140












http://www.itl.nist.gov/fipspubs/geninfo.htm















http://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations



















http://govitwiki.com/wiki/Defense_Information_Assurance_Certifications_and_Accreditation_Process_(DIACAP)
























http://www.diacap.net/








http://www.fisma.org/








http://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act



















https://www.pcisecuritystandards.org/index.php











http://www.27000.org/ismsprocess.htm









http://isae3402.com/






http://www.ssae-16.com/








http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc1report.aspx





















http://www.sas70.us.com/services/sas70-typeii-audit.php



















https://www.google.com/about/datacenters/inside/locations/index.html



















https://support.google.com/a/bin/answer.py?hl=en&answer=60762






















https://www.microsoft.com/en-us/office365/trust-center.aspx





















http://research.microsoft.com/pubs/80240/dwork-tcc09.pdf















http://www.rackspace.com/knowledge_center/whitepaper/moving-your-infrastructure-to-the-cloud-how-to-maximize-benefits-and-avoid-pitfalls







































https://developers.google.com/appengine/terms











http://c1776742.cdn.cloudfiles.rackspacecloud.com/downloads/pdfs/Rackspace_SOC1TypellReport.pdf

























SOC 2 examines the details of data center testing and operational effectiveness.

SSAE 16 standard

These are standards under which the SOC 1 report should be issued. It came as an

enhancement to the SAS70 standard and its most up to date with the new international service

organization reporting standards, the ISAE 3402. [44]

ISAE 3402 standard

International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on

Controls at a Service Organization allows public accountants to issue a report for use by user

organizations and their auditors on the controls at a service organization that are likely to impact

or be a part of the user organization’s system of internal control over financial reporting. [45]

ISO 27001 certification

The ISO 27001 defines specific requirements to bring information security under explicit

management control. This means that the security controls of the company are systematically

examined in a unified way. The different security aspects include information security risks,

vulnerabilities but also physical security practices. [46]

The certification usually involves a three-stage external audit process.

● The first stage is a preliminary stage used mostly to familiarize the organization with the

auditors.

● The second stage is a thorough examination of the design and implementation of the

information security management system. After this stage the ISMS is certified as ISO27001 compliant.

● The third stage includes follow ups and reviews to ensure that the ISMS remains in

compliance with the standard.

In the following diagram the process a company needs to follow to comply with the certification

is described:

25



26



Payment Card Industry (PCI), Data Security Standard (DSS)

The intention of this standard is to help organizations that handle cardholder information for

debit, credit cards etc to proactively protect their customers account data from fraud [47].

Nevertheless, the effectiveness of this standards has been criticized as providing just a minimal

baseline for security.

FISMA

The Federal Information Security Management Act (FISMA) is United States legislation that

defines a comprehensive framework to protect government information, operations and assets

against natural or man-made threats.[48] Depending on the risk level of sensitive information

there are 3 different security categories for FISMA, namely Low, Moderate and High. Each level

has some minimum requirements and builds on the previous one.

FISMA requires federal agencies to have an information security system for their data and

infrastructure. FISMA levels require from cloud companies to implement an extensive set

of security controls, including the documentation of management, operational and technicalprocesses used to secure the physical and virtual infrastructure and also conducting third party

audits. [49]

Defense Information Assurance Certification and Accreditation Program

(DIACAP)

DIACAP[50] is part of the the USA department of defence and ensures that risk management is

applied on information systems. It includes the following 5 phases [51]

● Initiate and Plan

● Implement and Validate

● Make C&A Decisions● Maintain ATO/Reviews

● Decommission

ITAR (International Traffic in Arms Regulations)

Anyone related to defense articles, services or data should comply to ITAR, according to the

US government requirements. To be ITAR compliant a company should register with DDTC

(Directorate of Defense Trade Controls) to know what is needed to be ITAR compliant. ITAR

regulations in short prohibit any material related to defense to be shared or resold to non U.S.

persons without previous authorization from the U.S. department of state. [52]

FIPS (Federal Information Processing Standards) publication 140-2

FIPS pronouncement have been developed by the U.S. government to standardize codes as

the DES (Data Encryption Standard) and AES (Advanced Encryption Standards) [53].

The FIPS 104.2 publication is used to accredit cryptographic modules that include both software

and hardware components for use by the departments and agencies of the United States

federal government. Compliance with FIPS 140.2 doesn’t necessarily means that a system is

27



secure. There are 4 different levels defined under FIPS [54]:

● Level 1: Imposes very limited requirements

● Level 2: Adds requirements for physical tamper-evidence and role-based authentication.

● Level 3: Builds on level 2 to add physical tamper-resistance and identity-based

authentication.

● Level 4: Stronger physical requirements and robustness against environmental attacks

CVSS (Common Vulnerability Scoring System)

CVSS provides a universal open and standardized method for rating IT vulnerabilities [55]. The

CVSS measures three areas [56]:

1. Base Metrics for qualities intrinsic to a vulnerability.

2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability.

3. Environmental Metrics for characteristics of a vulnerability that depend on a particular

implementation or environment.

HIPAA (Health Insurance Portability and Accountability Act)HIPAA is the united states health insurance portability and accountability act of 1996. HIPAA

seeks to establish standardized mechanisms for electronic data interchange ( EDI ), security,

and confidentiality of all healthcare-related data. [66]

HIPAA-BAA

This is a contract between HIPAA covered entity and a HIPAA associate to protect personal

health information in accordance with HIPAA guidelines. [67]

EU Model Clauses

The EU model clauses restrict the transfer of personal data to countries outside the EuropeanEconomic Area (EEA), unless the recipient is located in a country with an “adequate level of

data protection”. Notable this doesn’t include the US. [64]

Safe Harbor

US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive

95/46/EC on the protection of personal data. [68]

http://searchdatacenter.techtarget.com/definition/EDI

http://searchdatacenter.techtarget.com/definition/EDI

a survey on cloud providers security measure

Documents