Cloud Security Auditing: Challenges and Emerging Approaches

Download Cloud Security Auditing: Challenges and Emerging Approaches

Post on 30-Jan-2017

217 views

Category:

Documents

4 download

Embed Size (px)

TRANSCRIPT

  • Page 1

    Cloud Security Auditing:Challenges and Emerging Approaches

    Jungwoo Ryoo (jryoo@psu.edu), Syed Rizvi (srizvi@psu.edu),

    William Aiken (wva5029@psu.edu), and John Kissell (jzk5354@psu.edu)

    Penn State University

    ABSTRACT

    An Information Technology (IT) auditor collects information on an organization's information systems, practices, and operations and critically analyzes the information for improvement. One of the primary goals of an IT audit is to determine if the information system and its maintainers are meeting both the legal expectations of protecting customer data and the company standards of achieving financial successes against various security threats. These goals are still relevant to the newly emerging cloud computing model of business, but with a need for customization. We believe that there are clear differences between cloud and traditional IT security auditing, which is validated by our interviews with cloud security auditors. Therefore, this paper explores potential challenges unique to cloud security auditing. The paper also examines additional challenges specific to particular cloud computing domains such as banking, medical, and government sectors. Finally, we present emerging cloud-specific security auditing approaches and provide our critical analysis.

    INTRODUCTION

    Cloud computing, as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-145, is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Mell, 2011). In essence, cloud computing could simply be described as the use of computing resources, both hardware and software, which are provided over a network, and it also requires minimal interaction between users and providers. NIST goes even further to list what are deemed as five "essential characteristics" which are used for the composition of a cloud model; these five characteristics,

    Digital Object Indentifier 10.1109/MSP.2013.132 1540-7993/$26.00 2013 IEEE

    This article has been accepted for publication in IEEE Security and Privacy but has not yet been fully edited.Some content may change prior to final publication.

  • Page 2

    in no particular order, are: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service (Mell, 2011).

    There are primarily three service models (or service types) which are commonly implemented in the cloud: Software as a Service (SaaS), Platform as a Service (Paas), and Infrastructure as a Service (IaaS). Regardless of the service types, one of the most significant challenges in cloud computing is security and oversight to enhance security. Audits provide a clear and recognizable trail of resource access for both companies and governments. Typically, audits will fall into two main categories, internal and external audits, and we will be using this dichotomy of audits throughout the paper. Internal audits refer to work done by employees of the company, which concern themselves with very specific processes within the company, primarily focusing on optimization and risk management, while external audits refer to audits that give an outside perspective on the companys ability to meet the requirements of various laws and regulations. Organizations have used traditional IT audits to evaluate issues such as availability to authorized users, and integrity and confidentiality in the storage and transmission of data. Cloud audits must be able to meet these same standards in the context of cloud computing.

    Do traditional IT security audit models meet the needs of cloud systems? What happens if the information system is completely overhauled, if all of an organizations IT resources are put in the hands of someone else (i.e., in the cloud)? By definition, cloud computing allows an organization to perform the necessary computer tasks on remote servers via a network connection while passing off the complex tasks of actual networking to a third party. Since cloud computing allows for multiple users across a large domain, it is exposed to novel security threats. These threats range from the confidentiality threats when two different businesses have their data stored together (i.e., colocation due to multi-tenancy) to encryption concerns in both the home and cloud companies (such as who keeps the encryption keys). These new threats pose new challenges for security auditing, but cloud advocates are responding to them. Already there are groups such as Cloud Security Alliance (CSA: cloudsecurityalliance.org) urging for standardizing the practice of auditing cloud confidentiality, integrity, and availability.

    In this research paper, our primary research goal is to highlight the essential challenges that separate cloud security auditing from the traditional IT security auditing practices. These challenges mark the distinction between the two auditing approaches and highlight the importance of special provisions for cloud security auditing in the existing security auditing standards. Although security audits on cloud computing and those on traditional IT have similar goals and objectives, the details of how they are evaluated, such as scope, emphasis, depth, etc., divide the audits into two very distinct processes.

    In addition to the differences between the cloud and conventional IT security auditing, the specifics of cloud security auditing can vary depending on what domain the cloud is used for. These domains include medical, banking, and government sectors, and we identify the subtle differences that require somewhat different approaches despite the largely common body of the core cloud security auditing methodology.

    We also investigate the cutting edge of standards being used by the cloud industry to have a consistent line of defense against these security threats in the Emerging Approaches

    Digital Object Indentifier 10.1109/MSP.2013.132 1540-7993/$26.00 2013 IEEE

    This article has been accepted for publication in IEEE Security and Privacy but has not yet been fully edited.Some content may change prior to final publication.

  • Page 3

    section. To validate our research, we conducted a series of interviews with experienced cloud security auditors and incorporated their insights and advice into the discussions in the following sections. Some new ideas from the perspective of practitioners have also emerged from our discussions with the auditors.

    CHALLENGES

    A traditional IT security audit is an examination of the checks, balances, and controls within an IT group. An IT security audit collects, evaluates, and tests information on an organization's systems, practices, and operations, and it determines if the systems are safeguarding the information assets, maintaining data integrity, and operating effectively to achieve the organization's business goals or objectives (Cannon, 2011). Therefore, IT security auditing needs to analyze the data from internal and external sources to support audit objectives accurately.

    The cloud computing field is a flourishing industry that comes with its own set of new security challenges. A cloud infrastructure is the result of a constant three-way negotiation among service organizations, cloud service providers (CSPs), and end users to ensure productivity while maintaining a reasonable degree of security. The CSP should keep data safe from security threats and yet give the client access anywhere with an Internet service. A client organization also needs to verify that the cloud computing enterprise is contributing to its business goals and objectives, and future needs.

    Although both conventional IT security auditing and cloud security auditing share many common concerns, a security audit of the cloud system has to consider and address unique problems typically not handled in the traditional IT security audits.

    According to our interviews, the most immediate and obvious challenge lies in acquiring sufficient knowledge in cloud computing for an auditor to know what additional items to audit in order to address cloud-specific security concerns. Therefore, to function as an effective cloud security auditor, familiarity with cloud computing terminology and working knowledge of what constitutes a cloud system and how cloud services are delivered are essential. This knowledge then enables a cloud security auditor to pay special attention to a set of security factors that may be emphasized much less in a traditional IT security auditing process. These factors include transparency, encryption, colocation, scale, scope, and complexity concerns which are discussed in detail in the following subsections and summarized in .

    Transparency

    An audit must check whether a CSP keeps security-relevant data transparent to its customers. Transparency allows an organization to more easily identify potential security risks and threats and also create and develop the right countermeasures and recommendations for its

    Digital Object Indentifier 10.1109/MSP.2013.132 1540-7993/$26.00 2013 IEEE

    This article has been accepted for publication in IEEE Security and Privacy but has not yet been fully edited.Some content may change prior to final publication.

  • Page 4

    enterprise (Pauley, 2010). By having access to accurate information, a cloud service user (CSU) can reduce the risk of threats being manifested.

    A good cloud security audit would question if the CSP provides a solid balance between security procedures and end-user access. Employees may need to access the cloud from home or on a business trip. Does the CSP allow for such types of access, and can it prevent others from impersonating legitimate users? More importantly, is the CSP willingly transparent about its access control mechanisms?

    Typically, cloud computing systems are based in a large data center, and a third party subcontractor could be managing them. The client has no idea who handles the data or where exactly on the system it is stored. To expose the risks associated with this undesirable situation, a cloud security audit must strive to reveal the details to the client. Transparency of data privacy, data security, anonymity, telecommunications capacity, liability, reliability, and government surveillance ensures strong security on the clients data (Pauley, 2010). For example, a CSP that records personal information such as credit card numbers is an invitation for cyber criminals. As a result, a service-oriented company that utilizes a third-party cloud infrastructure or any CSUs should expect to know what kind of information is in the cloud at any given time to adequately respond to breaches.

    A lack of data transparency even in traditional IT audits can lead to a failure of control over in-house company resources. Systems administrators should not be the only ones to adequately understand the computing resources and the risks associated with them.

    A traditional IT security audit gathers and analyzes the data found on the company premises. Without this type of audit, a company has no idea what its assets are, where they are stored, or how to protect them from any potential threats. A companys security is theoretically non-existent without these audits. Asset enumeration (or identification) refers to this type of auditing efforts. Why should the cloud be any different in terms of data transparency? In fact, transparency is even more critical in cloud security auditing because the security-relevant data is harder to obtain since CSPs control most of the data rather than CSUs. A company-wide understanding (not just by the IT department) of asset data, data location, and data policies is necessary to any cloud security audits as well. In terms of data transparency, cloud security audits require the same degree of understanding as do their traditional IT security audit counterparts, but an insufficient amount data often exists to develop the same level of understanding.

    Encryption

    It is unsafe to store plaintext data anywhere, especially outside of the home company IT infrastructure. If the cloud were to be breached, the information would be instantly available to the hackers. A client could encrypt all of the data in-house before sending it to the cloud provider, but this approach opens risks to system administrators who may abuse their privileges. Leaving encryption to the CSP is not foolproof either because a breach in its storage system may

    Digital Object Indentifier 10.1109/MSP.2013.132 1540-7993/$26.00 2013 IEEE

    This article has been accepted for publication in IEEE Security and Privacy but has not yet been fully edited.Some content may change prior to final publication.

  • Page 5

    also mean a breach in its encryption and decryption tools. In reality, CSPs frequently provide the encryption service by default as in the case of Amazon Simple Storage Service (S3), which could result in double encryption (once by a CSU and twice by a CSP). In contrast, the Amazon elastic computer cloud (EC2) service does not provide encryption by default, leaving it up to the customers. There is also a third party service available, such as ciphercloud.com that provides its client with an ability to encrypt the data before sending it to a CSP.

    Traditional IT infrastructures face many encryption concerns as well and must make tough decisions. Which is more important: encryption of data or access to data? If an entire data pool is encrypted at rest, how can an organization quickly and efficiently query the data without decrypting all of it? Due to its heavy computational requirements, encryption may not always be the most efficient solution. Only in situations where the sensitive data is not accessed frequently (e.g., archived payroll information), does encryption at rest become a viable option for traditional IT companies.

    A cloud infrastructure is not free from these pitfalls, either. The same question arises again: should data at rest be encrypted? The difference is that an organization does not send plaintext data to the cloud. The data in transmission is usually encrypted, using technologies like Secure Socket Layer (SSL) as in the Amazon S3 services. Assuming that a CSU depends solely on the CSP for encryption, the CSU organization must allow the CSP to control its encryption/decryption mechanisms and have access to all the data it stores (e.g., Amazon S3).

    This is not a safe practice because if one part of the cloud should be compromised, it is possible that all encrypted data will be compromised as well. As a result, it is more desirable for encryption and decryption to take place outside the clouds resources. But is encrypting and decrypting cloud storage data worth the extra computational resources? Possibly, but newer innovations in f...

Recommended

View more >