University of Western Ontario

Automate Cloud Storage Standards Compliance (NIST

SP 800-53)

Electrical and Software Engineering Department

Mohamed Soliman

4/1/2014

Dr. Abdelkader Ouda

1

Contents Table of Figures .............................................................................................................................................. 2

Abbreviations and Acronyms ......................................................................................................................... 2

Abstract .......................................................................................................................................................... 3

Introduction .................................................................................................................................................... 3

Part 1 ....................................................................................................................................................4

1.1. Cloud Computing ............................................................................................................................... 4

1.2. Types of Cloud Services ..................................................................................................................... 4

1.3. Service Management Levels in Cloud Services ................................................................................. 5

1.4. Cloud Deployment Models ............................................................................................................... 6

1.5. Cloud Storage .................................................................................................................................... 8

1.6. Cloud Computing Risks and Remediation ......................................................................................... 9

1.7. Cloud Security Benefits ................................................................................................................... 10

1.8. Cloud computing security concerns ................................................................................................ 11

1.9. Cloud Security Technologies ........................................................................................................... 13

2. Part 2 ........................................................................................................................................... 14

2.1. What is FISMA: ................................................................................................................................ 14

2.2. NIST SP 800-53 ................................................................................................................................ 14

2.3. NIST 800-53 security control structure ........................................................................................... 15

2.4. Why do we need Cloud storage audit compliance: ........................................................................ 16

3. Part 3 ........................................................................................................................................... 18

3.1. High level functionality design ....................................................................................................... 18

3.2. Proposed System Architecture ...................................................................................................... 20

3.3. Main auto-data collection methodologies .................................................................................... 22

Future Plans ................................................................................................................................................ 23

Conclusion: ................................................................................................................................................... 24

Bibliography .................................................................................................................................................. 25

Appendix A: .................................................................................................................................................... 0

Appendix B: ..................................................................................................................................................... 1

2

Table of Figures FIGURE 1: TYPES OF CLOUD SERVICES .............................................................................................................................................. 4 FIGURE 2: SERVICES MANAGEMENT LEVELS ....................................................................................................................................... 6 FIGURE 3: CLOUD DEPLOYMENTS ................................................................................................................................................... 8 FIGURE 4: CLOUD STORAGE........................................................................................................................................................... 9 FIGURE 5: NIST SPECIAL PUBLICATION 800-53 R4 ......................................................................................................................... 15 FIGURE 6: HIGH LEVEL FUNCTIONALITY DESIGN ................................................................................................................................ 19 FIGURE 7: PROPOSED SYSTEM ARCHITECTURE ................................................................................................................................. 20 FIGURE 8: FRAMEWORK SWIMLANE DIAGRAM ................................................................................................................................. 21 FIGURE 9: DATA COLLECTION METHODOLOGIES .............................................................................................................................. 23

Abbreviations and Acronyms API Application Programming Interface

COBIT Control Objectives for Information and related Technology

CSP Cloud Service Provider

DDoS Distributed Denial of Service DoS Denial of Service

DSS Data Security Standard

FW Framework FW-UI Framework User Interface

GRC Governance Risk Management and Compliance

GUI Graphical User Interface

HIPAA Health Insurance Portability and Accountability Act

HTML Hyper Text Markup Language

HTTP Hyper Text Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

IaaS Infrastructure as a Service

IDS Intrusion Detection Systems

IPS Intrusion Detection and Protection systems

ISO International Organization for Standardization

NIST National Institute of Standards and Technology

NTP Network Time Protocol

NVT Network Vulnerability Tests

PaaS Platform as a Service

PCI Payment Card Industry

SaaS Software as a Service

SLA Service Level Agreement

SSL Secure Sockets Layer

VM Virtual Machine

VPN Virtual Private Network

3

Abstract

The purpose of this project was to explore and create a framework to automate the cloud storage compliance assessment processes based in one of the most well-known standers like NIST 800-53. The project goal is to prove that if we follow these suggested framework processes, any organization can be sure if the cloud service provider is compliance with NIST standard or not and even at which percentage it is.

Lots of literature, regarding that matter, was reviewed during the course of this project. This included literature from academia and product details from various vendors. An experiment were done in order to demonstrate how systems can be vulnerable for attacks, if no security best practices have been employed. It was found that virtual and cloud computing comes with a new set of security concerns over traditional computing and there are lot of technologies and best practices available to make virtual machine and cloud a secure place

Introduction

In traditional computing, applications, operating systems and hardware are bound together in a way that vulnerabilities in one layer causes direct impact in layers above it. Cloud computing brings a different paradigm in computing where it tries to de-couple applications, operating system and hardware (using virtualization) from each other so that problems in one layer will not have a direct impact on the layers above. Along with many other benefits such as better resources management, improved availability and flexibility, cloud computing seems to be a very good alternative to traditional computing. However cloud computing comes with a new set of security concerns, which were not present in traditional computing before and limits users getting full benefits from cloud technology. Therefore there are number of international best practices standards in the market. There is a need to be sure that the cloud service provider is following one or more of these standards based on the organization business and objectives.

As a result of these concerns, the need for finding a standard for Cloud Service providers (CSP), especially when we talk about government business, became a crucial issue. Although there are a number of standards related to cloud computing, the process of assessing that CPS is compliance with this standard consumes a lot of efforts and time. This project was conducted with an aim of suggesting a framework to automate this process and giving a result if CPS is compliance or not, and if he is compliance at what percentage he is.

Project was divided into three main parts.

1. Cloud computing and cloud storage introduction

2. Standards and the need for them.

3. The suggested framework for automating cloud storage according to NIST 800-53.

4

Part 1

It is an introduction about could computing in general including definition of cloud computing and cloud storage, types of cloud services, cloud deployments, cloud security, cloud concerns, and etc. . The goal from this first part is to have a common understanding of cloud computing as there are still a number of different definitions and understandings come to mind when we talk about cloud computing.

1.1. Cloud Computing

One of the most accurate definitions of cloud is “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” As NIST defines Cloud Computing”

1.2. Types of Cloud Services

There are three types of cloud services. I prefer to call it three levels of cloud services, as they provide the end user with three different levels of the cloud which built on each other as following:

Figure 1: Types of Cloud Services

Infrastructure-as-a-Service (IaaS):

Infrastructure-as-a-Service is the first layer and foundation of cloud computing. Using this service model, you manage your applications, data, operating system, middleware and runtime. The service provider manages your virtualization, servers, networking and storage. This allows you to avoid expenditure on hardware and human capital; reduce your ROI risk; and streamline and automate scaling. IT and developers of any organization can use this kind of cloud services to deliver business solutions.

5

According to a 2011 article released by Venture Beat, “Some of the biggest names in IaaS include Amazon, Microsoft, VMWare, Rackspace and Red Hat.” [1]

Platform-as-a-Service (PaaS):

PaaS is the second level or layer of cloud computing. You manage your applications and data, and the cloud vendor manages everything else. Benefits for using Platform-as-a-Service include streamlined version deployment and the ability to change or upgrade and minimize expenses. In this level you don’t have any management authority over operating system or other infrastructure components.

One popular Platform-as-a-Service is the Google app engine. In this model, your business benefits because it is not necessary to hire people to maintain these systems as your only concern is your application and its data.

Software-as-a-Service (SaaS):

SaaS is the most famous level of cloud computing as we all use it even if we don’t know that some times. It is the third type where you don’t manage anything you just access the application and use it. You may have some privileges to customize you application, but you still don’t have access to infrastructure of the cloud service. The service provider hosts the software so you don’t need to install it, manage it, or buy hardware for it. All you have to do is connect and use it.

Famous Examples of SaaS are online banking and email such as Gmail and Outlook. You use it but the cloud provider is the real owner of the service.

1.3. Service Management Levels in Cloud Services

As we can see, while there are some similarities among the three cloud computing service models, there are significant differences among them as well. You select the desired level or service according to the organization needs and level of resources availability to manage the service.

6

Figure 2: Services management levels

1.4. Cloud Deployment Models

In this part we focus our attention to some of the primary cloud models. Cloud delivery models refer to how a cloud solution is used by an organization, where the data is located, and who operates the cloud solution. Cloud computing supports multiple delivery models that can deliver the capabilities needed in a cloud solution. [2]

Public Cloud

A public cloud is one in which the cloud infrastructure is made available to the general public or a large industry group over the Internet. The infrastructure is not owned by the user, but by an organization providing cloud services. Services can be provided either at no cost, as a subscription, or under a pay-as-you-go model.

Examples of public clouds include IBM SmartCloud Enterprise, Amazon Elastic Compute Cloud (EC2), Google AppEngine and Windows Azure Services Platform.

Private Cloud

A private cloud refers to an internal cloud solution where the solution and infrastructure are provisioned for the exclusive use of a single organization. In this case , this organization often manages and acts as a cloud service provider to provide the cloud service to internal business units that obtain all the benefits of a cloud without having to provision their own infrastructure. By consolidating and centralizing services into a cloud, the organization benefits from centralized service management and economies of scale.

7

It is still can be owned and managed by the organization, a third party, or a combination. The private cloud infrastructure is usually provisioned on the organization’s premises, but it may also be hosted in a data center that is owned by a third party.

Community Cloud

Community cloud share the underlying infrastructure with other organization which share common interest like security etc. It's not completely public and the fee is shared by community members. Neither it is totally public not fully private.

The primary goal of a community cloud is to have participating organizations realize the benefits of a public cloud, such as shared infrastructure costs and a pay-as-you-go billing structure, with the added level of privacy, security and policy compliance usually associated with a private cloud.

Hybrid Cloud:

A hybrid cloud refers to a combination of more than one of the previous clouds Figure 3: . It allows organizations to fully utilize the scalability and cost-effectiveness of a public cloud without exposing applications and data beyond the corporate intranet. A well-constructed hybrid cloud can service secure, mission-critical processes, such as receiving customer payments (a private cloud service), and also those that are secondary to the business, such as employee payroll processing (a public cloud service).

The major drawback to a hybrid cloud is the difficulty in effectively creating and governing such a solution. Services from a variety of sources must be obtained and provisioned as though they originated from a single location, and interactions between private and public components make the implementation even more complicated.

At high level, cloud computing architecture can be partitioned into: 1. Client or front end platform (thin or thick client). 2. Back-end platform (storage server etc). 3. The network (Internet etc)

These client platforms communicate with the cloud data storage via an application (hosted on middleware), accessible via a browser.

8

1.5. Cloud Storage

Cloud storage becomes a common way for people, organizations, and governments to share, store

or backup their data and files. Businesses are even looking at this valuable service as a way to save

money on storage equipment and making those client documents available to their employees

around the world.

Government agencies at the federal, state and local levels, need easy, quick and secure methods to

share, synchronize and send confidential information within and across agency boundaries in order

to protect security interests. Users can access and share the latest files and folders on smartphones,

tablets, laptops and desktops ensuring today’s government professionals have the information they

need, where and when they need it. Cloud storage is the best way to achieve that. Therefore, it

needs to be compliance with government agencies standards like NIST, HIPP, and OSI. Otherwise,

there will be a critical privacy and security breach risks. [3]. See Figure 4.

Figure 3: Cloud Deployments

9

Figure 4: Cloud Storage

1.6. Cloud Computing Risks and Remediation

Cloud computing provides many benefits over traditional computing. However it comes with a price.

Main price that both cloud computing solution provider and cloud computing user pay is the risk

mitigation involved in cloud computing.

Five main risk categories for cloud computing can be identified [4]. They are:

Organizational Risks: Organizational risks can be identified as gaining negative impact on

organization structure and/or organization’s business entity. The main risk is the loss of

business reputation as CSP. CSPs are tasked contractually with guaranteeing the information

security requirements of their customers. It is important that CSP provide all the necessary

information which can be used by the CSU build their trust toward s the provider. This

information can include, Internal Data Access Controlling Scheme and External Data Access

Controlling.

Technological Risks: Technological risks are identified as failures or limitations associated

with technologies and services provided by Cloud Computing Provider. Technological risks

include limitation of hardware capabilities as well as limitation of software capabilities.

Having suitable hardware to run required software is essential. However it is important to

maintain all the hardware, because it is pointless to have proper hardware without proper

maintenance. Another main technological risk for CSP is interoperability between other

CSPs.

10

Regarding CSU, main technological risk is, finding out if they get more improved qualities (performance, availability) by moving to a cloud solution. Due to servers work load and network between cloud and CSU, it is difficult to compare quality attributes, running application on a local server and cloud [4]. It is recommended that CSU clarify these gray areas with CSP before committing to the cloud solution. CSU can use performance assessments from unbiased third parties before signing into a cloud solution. Also lack of interoperability between different cloud vendors affects CSU in a negative way. This makes migrate from one cloud provider to another a difficult process.

Data Security and Privacy Risks: Integrity, confidentiality and availability of data depend on

available data encryption and data backup schema for the CSP [5]. CSU expects provider to

be responsible in those areas. One major concern for CSU regarding data encryption is key

management. If CSP provides key management behalf of the user, additional security

measures should be taken in order to cater such responsibilities. However CSU is responsible

for security and integrity of their data stored in the cloud. CSUs can face serious problems if

they do not maintain proper process to maintain their private keys [6]. Identity and Access

Management (IAM) Schemes and isolating user data in physical and application level can

impose good security measures against data security and privacy risks.

Compliance: It is important to clearly state who owns the data submitted to the cloud. Since

the cloud may be physically in a different jurisdiction than the cloud user and CSP may face

legal challenges for keeping some types of data physically in its cloud platform. Therefore it

is always better to have prior agreements about what type of data CSU will store in the

cloud. It is equally important to contractually agree what happens to the data if CSU chooses

to leave CSP. In this case most CSPs would prefer if CSU delete all the data from cloud and

keep no data from SCP at all. From CSUs point of view, it is important to know what type of

disaster recovery mechanism CSP has. These mechanisms might contradict some of the

existing policies within CSU’s organization [7]. CSU must always choose a CSP that comply

with their organizations policies.

Physical Security: None of above solutions for cloud computing risk is valid unless CSP

guarantee physical security for if their equipment and locations. Cloud infrastructure

including, servers, network, storage and other physical equipment should be properly

secured. In order to provide physical security guarantee, CSP should implement operate

appropriate infrastructure controls including staff training, physical location security,

network firewalls

1.7. Cloud Security Benefits

According to the 2009 Cloud Computing Benefits, risks and recommendations for information security in its updated version in Dec 2012 [8] conducted by ENISA, they consider a number of

11

security benefits offered by the Cloud computing model. In this assessment, cloud security benefits are pointed into main five points as following:

Security and the benefits of scale:

Although that it is obvious that implement security solutions requires money, time, testing efforts, it clear as well that security implementation cost is decreased when it is implemented across a large project as the cost of implementation is distributed across all project components. This includes all kinds of defensive measures such as filtering; patch management, hardening of virtual machine instances and hypervisors, etc.

Security as a market differentiator:

Selecting cloud service provider is one of the critical points which take time, but using their level and reputation of security can make the selection job easier. In other words, the level of security which the cloud service provides is one of the main selection factors.

More timely, effective and efficient updates and defaults:

One of the main features of virtualization is centralized management. Therefore, updates can be easily and rapidly deployed across virtualization environment. We as clients don’t need to take care of it as it is part of the service. We can use a clear example of using MS-office and using Office365. With Office 365, Microsoft as a service provider is responsible of keeping their product updated and running.

Rapid, smart scaling of resources:

Resource management is a major feature in cloud computing. The ability of the cloud provider to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc., to defensive measures (e.g., against DDoS attacks) has obvious advantages for resilience.

Benefits of resource concentration:

Virtualization brings a significant advantage of resource concentration. We are talking about resources in general including Human Resource, Power, Hardware, and software. Resource concentration has obvious advantage of less cost and less issues.

1.8. Cloud computing security concerns

Cloud computing security concerns are one of the broadest topics in cloud computing, as there are a huge number of researches about cloud security. We will use of this paper conducted by ISC2 which is a global, not-for-profit leader in educating and certifying information security professionals. ISC2 is recognized for Gold Standard certifications and world class education programs [9].

Data Security:

In cloud world there is a big concern related to data security as one of the most valuable assets for any organization. The concern is to be sure that in spite you are as data owner

12

(tenant of the cloud) have full control of data, data custodian (cloud service provider) has not have this privilege of accessing your data.

Data Loss/Leakage Prevention:

The point here is we are using the same shared pool of resources in cloud. This brings a concern of losing your data security when you move from storage to another leaving the old storage to be used by others. How to be sure that there is no data loss or leakage prevention.

Access Controls:

This is another concern which comes more in picture because of cloud computing. Any breach for one of applications in the shared pool area may lead to breach for all other applications or services using the same shared pool of resources. Cloud service provider needs to grantee that there is a fully secure separation data access between data owners or applications users who are using the same shared pool of resources in the cloud.

Susceptibility to Cyber Attacks:

Cloud is open for everyone to access it. This concept encouraged many hackers and attackers to target it. It is easy to target especially that malicious insiders are more prone to conduct their nefarious activities with relative impunity. One of the famous attacks is man-in-the-middle (MITM) attacks especially when we are talking about software as a service.

Uninterrupted Availability:

One of the effective features of cloud is availability. There is a debut about this point as there are two teams or schools with different thoughts about the availability of resources in the cloud computing model. The first team builds his point based on that the processing load is distributed in the cloud, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks cannot cause significant damage in the cloud. On the other side of the debut, the consumer of the provider’s services will still be liable to bear the cost in this pay-per-use model of computing. This cost may quite easily be greater than the cost of downtime caused by the DoS or DDoS attacks.

Governance, Regulations and Compliance:

No doubt that there is a contract between the cloud service provider and the consumer, but the concern here is customized according to the consumer polices and country regulations. There are a lot of points and actions can be considered as legal in some countries where it are illegal in others. Copyright is one of these examples as what is illegal to use in USA can be legal to be used in other countries and vice versa.

Cyber Forensics:

Because of the concept of shared resources and dynamic usage of cloud, it adds a new challenge for forensic investigator to do their investigation. That is because whatever you have today cannot be for shore your tomorrow (this includes storage and memory). In addition, forensics does not have direct access to the service provider physical infrastructure or even full knowledge about the actual physical infrastructure of the service provider.

13

1.9. Cloud Security Technologies

In order to find out what are the services provided by cloud service providers in order to minimize

security risks for their customers, main cloud service providers were selected and their offered

security services explored. All these service providers provide various security technologies for their

customers. Additionally they have special awareness programs created for customers so that they

get knowledge about security concerns in cloud environment. Main areas focus by cloud security

technologies are

Access Control and Management

Secure access to the cloud can be done using HTTPS or VPN. Most service providers provide firewall facilities for virtual instances. Some providers offer dedicated firewalls where no firewall resource will be shared with other users. Identity and Access Management is important to cloud users since they can define access and authorization levels for internal use. Cloud service providers usually provide unique credentials for each user with different roles. This implements the best practice of role-based unique users. Some cloud service providers also offer Active Directory Domains for access control additional to username and password access to enforce two-factor authentication.

Communication and Data Encryption

To ensure secure communication between cloud and user, SSL and VPNs are used. Cloud service providers also provide dedicated network connections to connect to cloud from user premises. This includes the use of 802.1q VLANs. Data encryption is usually done via AES-256. Encryption can be Full disk encryption, File System encryption, Database encryption, Encryption gateways. Some providers offer FIPS 140-2 encryption for customers who required running ITAR-compliant applications.

Secure Key Management

Most cloud service operators provide secure key storage facilities. Also they provide third party key management solutions for their users. Hardware based crypto key storage option is another method of dealing with crypto keys. This option can be used by customers who need Hardware Security Module (HSM) appliances for cryptographic keys.

System Monitoring

System monitoring mainly focuses on detecting intrusions. Intrusion Detection Systems (IDS) and Intrusion Detection and Protection systems (IDP) are employed for this purpose. This features screen incoming traffic for possible attacks. Most of cloud service providers do real time monitoring and network operation center support for 24/7.

Third party audits

Cloud service providers are keen to obtain third part certificates from trusted authorities as it helps to improve their trustworthiness towards customers. This includes having ISO certification under Payment Card Industry (PCI) and Data Security Standard (DSS).

14

2. Part 2

In the second part, we will talk about Standards. Paper will explain what are standards and why do

we need for standards in cloud world and why do we need to compliance with them. These

standards are developed by industry bodies, organizations and sometimes by governments. They

provide a guideline to ensure that there is a proper level of security is in place and the best well-

known security practices are applied. Some organizations, having same business, can create a

standard for that business which everybody has to follow to ensure interoperability, to prevent

vendor lock-in, to permit open middleware, etc. One example of such standard is the Payment Card

Industry (PCI) Data Security Standard (DSS). Some others are initiated as government requirements

for a special field like HIPPA.

Moreover, NIST and FISMA definitions will be discussed in details as main examples of auditing

cloud in general and audit cloud storage specifically.

2.1. What is FISMA:

FISMA–The Federal Information Security Management Act [10]. They can help you reach higher security standards for information systems by encrypting information and storing it in geographically redundant and secure facilities. FISMA is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. Depending on the risk level of sensitive information there are 3 different security categories for FISMA, namely Low, Moderate and High. Each level has some minimum requirements and builds on the previous one.

FISMA requires federal agencies to have an information security system for their data and infrastructure. FISMA levels require from cloud companies to implement an extensive set of security controls, including the documentation of management, operational and technical processes used to secure the physical and virtual infrastructure and also conducting third party audits.

2.2. NIST SP 800-53

The NIST SP 800 53 [11] standard provide a foundation of security controls for incorporating into an organization’s overall security requirements baseline for mitigating risk and improving systems and application security in their physical and virtualized environments. Many of these organizations using the NIST security requirements also have obligations to be able to demonstrate compliance with the SP 800-53 security requirements.

One of the major challenges is for government enterprises and their service providers to remain compliant with the SP 800-53 standard in the constantly changing threat environment. The SP 800-53 security control baselines and priorities are leveraged to provide such focus in this guidance. This Prioritized Approach identifies the applicable SP 800-53 security controls baselines

15

(L, M and H); the implementation priorities (P0, P1, P2, and P4) and if the control is also included in the baselines in CNSSI 1253 for National Security Systems. These details help enterprises and their service provider partners implement a continuous improvement process to protect critical assets data against the highest risk factors and modern escalating threats.

Although frameworks and guidelines from a number of organizations like NIST, COBIT, OSI, HIPAA, PCI, etc. are known since a while in the cloud market to facilitate the security compliance-related information flow from a cloud vendor, yet how to automatically generate this compliance-related information is still under research. Even if a CSP claims that he is compliance with some standards and he already implemented all it’s security measures, but there is no direct way to verify and be sure about his claim by the service consumer. I am trying in this paper to present a proposed approach to automate standard compliance assessment. This paper will present different techniques which can allow us to obtain the required information on demand and without human intervention or at least minimize it as possible.

Although there are, according to many standards including NIST 800-53, human behavioral side and physical security aspects of the security compliance, this paper focuses only in the technical part and mainly in cloud storage part.

Figure 5: NIST Special Publication 800-53 R4

2.3. NIST 800-53 security control structure

Security controls described in NIST SP 800-53 publication [11] have a well-defined organization and structure. For ease of use in the security control selection and specification process, controls

16

are organized into eighteen families. Each family contains security controls related to the general security topic of the family. A two-character identifier uniquely identifies security control families, for example, PS (Personnel Security). Security controls may involve aspects of policy, oversight, supervision, manual processes, actions by individuals, or automated mechanisms implemented by information systems/devices. Table 1 lists the security control families and the associated family identifiers in the security control catalog.

Table 1: SECURITY CONTROL IDENTIFIERS AND FAMILY NAMES

ID FAMILY ID FAMILY

AC Access Control MP Media Protection

AT Awareness and Training PE Physical and Environmental Protection

AU Audit and Accountability PL Planning

CA Security Assessment and Authorization PS Personnel Security

CM Configuration Management RA Risk Assessment

CP Contingency Planning SA System and Services Acquisition

IA Identification and Authentication SC System and Communications Protection

IR Incident Response SI System and Information Integrity

MA Maintenance PM Program Management

2.4. Why do we need Cloud storage audit compliance:

As a cloud, there is so much software as a service now that data heads off into the cloud and lands somewhere who knows where.

But that doesn’t absolve you of the need to know where your data is, how it is secured and what laws and regulations its retention must comply with. For this, you need to carry out a cloud-compliance audit.

Traditionally, data stayed safely in the data centre behind a firewall, and rarely ventured much further than branch offices or to the tape storage warehouse.

Life was more stable and easy then. But now, in the age of the cloud, there are numerous laws and regulations that make things less simple. The bottom line is, you are classed as the data controller for compliance purposes and this means you need to comply with the laws and regulations that apply in the territories in which you operate and/or data is held.

If there is no clear steps taken to know where data storage is, controlling of the most valuable asset which is data will be lost. Basically, service provider may not state where your data will be held, let alone guarantee that it stays in the same country or even on the same continent. They may move data around for load balancing, or may failover to another datacentre if things go wrong.

For instance, if the company based on one of the countries of the European Economic Area (EEA) countries the company cannot storage their personal data outside of the European Economic Area until it is compliance with Principle 8 of the UK Data Protection Act [12] , which states:

17

“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Furthermore, you will be subject to the local laws of the country in which your service provider is based and of the country in which your data is stored. You can be prosecuted under these laws even if you just make use of a datacentre in a European country.

Another example is the 2001 USA Patriot Act [13] , which states that data stored in the US or UK, by any company headquartered in the US, is subject to access by federal authorities. This includes financial information and emails.

As a result of what have been mentioned above, store any personal data in cloud storage service Provider Company needs to know where the information is stored and how it is protected. On another words, company needs to comply with cloud storage standard. Whatever you are storage your data locally or use cloud storage provider, you still responsible for this data and it belongs to you.

A cloud compliance audit should include: - A review of policies and procedures that the cloud storage provider applies to your data. - The technical solutions in place to protect your data, - The skills of technical or business staff responsible for your data. - You may also want to physically audit the datacentre where your data is stored.

18

3. Part 3

In the third part, we talk about the suggested automated framework in detail. This part is going

through different parts of the framework such as high level design, different modules, and

methodologies of collecting the cloud data. A comparison between these different data collection

methodologies will be presented to help taking the right decision of using one or using a

combination of more that methodologies to collect data from cloud service provider. By end of this

part a practical example of one of the data collections methodologies will be discussed and a sample

will be provided.

3.1. High level functionality design

The suggested framework is mainly consists of four processes or modules [Figure 4], which are:

1. Setup controls weights process.

In this process or module, end user has the ability to configure two main points. First, he puts points for each control according to his standard. In our case we are talking about NIST SP 800-53. Second, he can configure how the final result will be presented. It can be through dashboard for more details about each control or can be through email. See Appendix A and Appendix B for samples of how to extract controls from standard and put points for each point.

2. Data collection process.

Here, the main goal is to collect data from cloud service provider (CPS) according to the proper methodology.

3. Measure compliance process.

During this process, all collected data from cloud service provider is measured based on the setup process points. Here, framework can calculate the sum of all points for CPS and give a feedback if he is compliance or not and the percentage of compliancy.

4. Display/send assessment results.

The last process is responsible about presenting the final result of the previous process. There are two options, can be setup during the setup process, to select from which are display on dashboard or send it directly to the client mail or both of them.

19

Figure 6: High level functionality design

20

3.2. Proposed System Architecture

The main parts of the proposed framework are presented in Figure 5. End user or auditor or admin can access the framework to setup the points for each control of the standard as these points will be used later during taking the decision of if the cloud provider service is compliance with the standard or not and on what percentage if yes. Then, Data Collection Module is responsible about connecting with CPS through one or more of data collection methodologies. These methodologies are presented in Figure 5 and Figure 6. They will be explained in more details later.

Figure 7: Proposed System Architecture

After collecting the required data from CPS, the framework transfers it to Measure Compliance Process where a number of calculations and comparisons happened to the the finale decision about the percentage of CPS compliancy based on the end user inputs during the Setup Process.

Finally, the framework will display all the information in Dashboard or send it to the end-user/client or even do both of them.

21

Figure 8: Framework swimlane diagram

22

3.3. Main auto-data collection methodologies

According to the suggested framework, we have four main auto-data collection methods to collect standard’s data from cloud service provider CPS. They are:

1. API

Cloud APIs are application programming interfaces (APIs) used to build applications in the cloud computing market. Cloud APIs allow software to request data and computations from one or more services through a direct or indirect interface. Cloud APIs most commonly expose their features via REST and/or SOAP [14]. The framework will connect with the cloud service provider CPS through a secure connection. Simple Cloud API, Amazon Web Services API, OpenStack API, and Google Compute Engine are an example of well-known APIs which are supported by many vendors as well [15] [16]. Benefits: Fast and Easy to collect data. Cons: May need modifications from CPS side.

2. Log file analysis :

This methodology is a direct way of collecting data from CPS as the main source of data is system log files. Analyzing these files needs a secure access to the CPS infrastructure via any kids of secure connection like SSH. Now, framework has full access to all standard required information based on accurate CPS information. Benefits: No medications needed from CPS side. Accurate information as it gathered from the source. Trusted as the framework is doing the whole process. Drawbacks: It depends on operating system as we have different log files according to each Operating System.

3. Log files of third-party vulnerability tool:

Nowadays, hiring a company to do vulnerability assessment is common. Therefore, we can utilize this process by different way. We can use the log files of this assessment as input to our framework where we get the auditing information from the output log files. Benefits:

Accurate results. Need no modifications in CSP side.

Drawbacks: Costly process to hire third-party Timely as the main goal is not auditing but vulnerability assessment.

4. Questionnaire sheet

23

It depends on giving CPS the facility to enter his standards claims in a webpage and agreeing to add it to SLA as part of the contract between the end-user and CPS. It’s still automatic as all the framework processes still automatic, but it depends on CPS claims not cloud system investigation. Benefits: Easy and fast to implement. Can be considered as legal commitment as part of SLA. Drawbacks: Not Accurate or reflect current CPS setup. Depends on CPS trust.

Figure 9: Data Collection Methodologies

Future Plans

The framework needs to be implemented on the ground to go through solving expected challenges like CPS cooperation and different platforms. The potential implantation will be customized to be flexible enough to include other standards and communicate with different CSPs. I expect that Java will be one of the best options for this implementation.

24

Conclusion:

The framework cloud proved that it’s possible to achieve almost a complete automation in assessing if the cloud service provider is compliance or not according to NIST SP 800-53. It can save a huge time, cost, and effort during the compliance assessment process. There are number of challenges to implement this framework like variety of CSP technologies, different Oss, and etc.. It is doable if we go according to the framework and collect vendor data via one or more of the collections methodologies. This framework needs to practically proved though future work by implementing it using one of new technologies and solve the expected problems.

25

Bibliography

[1]

S. Ludwig, "Cloud 101: What the heck do IaaS, PaaS and SaaS companies do?," http://venturebeat.com/, 2011.

[2]

S. G. J. S. Larry Coyne, "IBM Private, Public, and Hybrid Cloud," March 2014. [Online].

[3]

www.cleargovsolutions.com, "GSA IaaS BPA LOT 1 – CLOUD STORAGE," March 2014. [Online]. Available: http://www.cleargovsolutions.com/vehicles/gsa-iaas-bpa-lot-1-cloud-storage/.

[4]

R. Latif, H. Abbas, S. Assar and Q. Ali, "Cloud Computing Risk Assessment: A Systematic Literature Review," in Lecture Notes in Electrical Engineering: Future Information Technology, Springer Berlin Heidelberg, 2014, pp. 285-295.

[5]

S. Creese, M. Goldsmith and P. Hopkins, Inadequacies of Current Risk Controls for the Cloud, Springer, 2013.

[6]

K. Lee', "Security threats in cloud computing environments," International Journal of Network Security & Its Application, vol. 6, no. 4, 2013.

[7]

A. Bisong and S. (. M. Rahman, "AN OVERVIEW OF THE SECURITY CONCERNS IN," International Journal of Network Security & Its Applications (IJNSA), vol. 3, no. 1, 2011.

[8]

T. H. Lionel Dupré, "Cloud Computing Benefits, risks and recommendations for information security," The European Network and Information Security Agency (ENISA), December 2012.

[9]

C. C. A. M. M. N. E. Mano Paul, "Security in the Skies Cloud computing security concerns, threats, and controls," ISC2.org, 2012.

[10]

N. organization, "FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) IMPLEMENTATION PROJECT," NIST, March 2014. [Online]. Available: http://csrc.nist.gov/groups/SMA/fisma/.

[11]

NIST, NIST Special Publication 800-53, USA: NIST, 2014.

[12]

M. Rouse, U.K. Data Protection Act 1998 (DPA 1998), UK: http://searchstorage.techtarget.co.uk/, 2008.

[13]

M. Rouse, Patriot Act, USA: http://searchdatamanagement.techtarget.com/, 2010.

[14]

Wikipedia, "Cloud API," Wikipedia.org, August 2011. [Online]. Available: http://en.wikipedia.org/wiki/Cloud_API.

[15]

D. Tidwell, "The Simple Cloud API," Software Group Strategy, EMC, 2009.

[16]

B. KLEYMAN, "Understanding Cloud APIs, and Why They Matter," datacenterknowledge.com, Oct 2012. [Online]. Available: http://www.datacenterknowledge.com/archives/2012/10/16/understanding-cloud-integration-a-look-at-apis/. [Accessed Mar 2014].

[17]

JQuery, "JQuery," March 2014. [Online]. Available: http://jquery.com.

[18]

A. S. A. a. J. Y. Kazi Wali Ullah, "Towards Building an Automated Security," IEEE International Conference, pp. 1587-1593, 2013.

Appendix A: NIST SP 800-53 sample Controls

AU-4 Technical / Audit and Accountability / Audit Storage Capacity

NIST SP 800-53 Control Baseline Priority

Checklist Control

AU-4 Technical / Audit and Accountability / Audit Storage Capacity

Control: The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. Supplemental Guidance: Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4.

P1

L M H

1253

Does CSP allocate disk space for logs and audit records?

Does CSP provide allow the appropriate account-user roles to delete system logs?

Does CSP allow the appropriate account-user roles to manage the log maintenance?

AU-4 (1) Technical / Audit and Accountability / Audit Storage Capacity / Transfer to Alternate

Storage

The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. Supplemental Guidance: Off-loading is a process designed to preserve the confidentiality and integrity of audit records by moving the records from the primary information system to a secondary or alternate system. It is a common process in information systems with limited audit storage capacity; the audit storage is used only in a transitory fashion until the system can communicate with the secondary or alternate system designated for storing the audit records, at which point the information is transferred.

Dos CSP support temporary logs and audit records space in case there is no communication with logs and audit records space?

AU-5 Technical / Audit and Accountability / Response to Audit Processing Failures

NIST SP 800-53 Control Baseline Priority

Checklist Control

AU-5 (1) Technical / Audit and Accountability / Response to Audit Processing Failures /

Audit Storage

Capacity

The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.

Supplemental Guidance: Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities.

P1 H

1253

Does CSP monitor the disk space available for logs and audit records?

Does CSP send alerts if free disk space fall below a threshold level?

Does CSP support audit /log data collection will be stored in temporary memory at the agent until sufficient free disk space is available?

Does CSP support Log Maintenance which addresses deleting unwanted logs?

Does CSP support giving the organization the ability to specify the delete logs based on age or delete all logs; delete logs older than 1 to 365 days?

1

Appendix B:

Sample of Setup Page AU-4 Technical / Audit and Accountability / Audit Storage Capacity

Does CSP allocate disk space for logs and audit records? 5

Does CSP provide allow the appropriate account-user roles to delete system logs? 2

Does CSP allow the appropriate account-user roles to manage the log maintenance? 3

Dos CSP support temporary logs and audit records space in case there is no communication with logs and audit records space? 1

AU-5 Technical / Audit and Accountability / Response to Audit Processing Failures

Does CSP monitor the disk space available for logs and audit records? 5

Does CSP send alerts if free disk space fall below a threshold level? 2

Does CSP support audit /log data collection will be stored in temporary memory at the agent until sufficient free disk space is available? 4

Does CSP support Log Maintenance which addresses deleting unwanted logs? 3

Does CSP support giving the organization the ability to specify the delete logs based on age or delete all logs; delete logs older than 1 to 365 days? 5

2

Sample of Display page (Compliance Percentage)

Controls Compliance Questionnaire Y/N Gained Points

AU-4 Technical / Audit and Accountability / Audit Storage Capacity

Does CSP allocate disk space for logs and audit records? y 5

Does CSP provide allow the appropriate account-user roles to delete system logs? y 2

Does CSP allow the appropriate account-user roles to manage the log maintenance? n 0

Dos CSP support temporary logs and audit records space in case there is no communication with logs and audit records space? y 1

AU-5 Technical / Audit and Accountability / Response to Audit Processing Failures

Does CSP monitor the disk space available for logs and audit records? y 5

Does CSP send alerts if free disk space fall below a threshold level? y 2

Does CSP support audit /log data collection will be stored in temporary memory at the agent until sufficient free disk space is available? n 0

Does CSP support Log Maintenance which addresses deleting unwanted logs? y 3

Does CSP support giving the organization the ability to specify the delete logs based on age or delete all logs; delete logs older than 1 to 365 days? y 5

77%

End of the project.