security recommendations cloud computing providers

Download Security Recommendations Cloud Computing Providers

Post on 09-Feb-2016

32 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Cloud COmputing

TRANSCRIPT

  • White Paper

    Security Recommendations for Cloud Computing Providers(Minimum information security requirements)

    www.bsi.bund.de

  • 1Contents

    Contents

    Preamble 3

    TheBSIServingthePublic 5

    1 Introduction 7

    1.1 Motivation 7

    1.2 Objectives 8

    1.3 Targetaudience 9

    1.4 Methodofapplication 9

    1.5 DefiningthescopeoftheBSIsecurityrecommendations 10

    2 CloudComputingbasics 12

    2.1 WhatisCloudComputing? 12

    2.2 Howdoesapublicclouddifferfromaprivatecloud? 14

    2.3 Whichdifferentservicemodelsareavailablein

    CloudComputing? 15

    2.4 HowdoesCloudComputingdifferfromtraditional

    IToutsourcing? 16

    2.5 StrategicplanningofCloudComputingservicesbyusers 17

    3 Securitymanagementbytheprovider 19

    4 Securityarchitecture 23

    4.1 Datacentresecurity 23

    4.2 Serversecurity 25

    4.3 Networksecurity 27

    4.4 Applicationandplatformsecurity 29

    4.5 Datasecurity 32

    4.6 Encryptionandkeymanagement 34

    5 IDandrightsmanagement 36

  • 2Contents

    6 Controloptionsforusers 39

    7 Monitoringandsecurityincidentmanagement 40

    8 Businesscontinuitymanagement 43

    9 Portabilityandinteroperability 46

    10 SecuritytestingandAudit 48

    11 Requirementsofpersonnel 50

    12 Drawingupagreements 53

    12.1 Transparency 53

    12.2 Servicelevelagreements(SLA) 55

    13 Dataprotectionandcompliance 57

    13.1 Dataprotection 57

    13.2 Compliance 59

    14 Prospects 62

    15 Glossary 64

    16 References 66

    17 Acknowledgements 68

  • 3Preamble

    Preamble

    Minimised risk in Cloud Computing

    CloudComputinghasthelong-termpotential

    tochangethewayinformationtechnologyispro-

    videdandused.Butinformationsecurityisakey

    factorifITservicesfromthecloudaretobeused

    reliably.Tocreateasustainablebasis in termsof

    security inCloudComputing, inSeptember2010

    theGermanFederalOffice for InformationSecu-

    rity (German abbreviation BSI) promoted an ex-

    changeofpracticalexperience.Theprovidersof

    relevantsolutions,theirusersandsecurityexperts

    wereinvitedtodebatethewhitepaperpublishedbytheBSIwhichdefinedthe

    minimumrequirementsforinformationsecurityinCloudComputing.

    Itisnotonlythetraditionalattackscenariosthatarerelevanttocloudsys-

    tems.Therearealsospecificcharacteristics,suchasthefactthatmultipleusers

    shareacommonITinfrastructure.ThedynamicsharingoftheITserviceacross

    multiplelocationsalsorepresentsaparticularchallenge.

    ThesectorsmanyresponsestothisBSIinitiativeshowedthatthestrategyof

    havingajoint,practicaldiscussionbetweenprovidersanduserswasacorrect

    onethewhitepaperwasgenerallywellreceivedbythoseinvolvedinthemar-

    ket. This is evidencedby themanyqueriesandnumerous constructive com-

    ments.Theoutcomesfromthatdiscussionhavenowbeendocumentedinthis

    paper.

    TheBSI,workingwiththoseinvolved,aimstodevelopreasonable,adequate

    securityrequirementsforCloudComputingtoensurethatinformation,appli-

    cationsandsystemsareprotected.Wehavecomemuchclosertorealisingthis

  • 4Preamble

    goal. Theminimum requirements described below are scalable in terms of

    availabilityandconfidentiality.Theyprovideamethodologicalstartingpoint,

    fromwhichotherissuescanbeintegratedandthenadjustedtochangingcir-

    cumstancesonanongoingbasis. Furthermore, theyareagoodbasis forde-

    batesatinternationallevel.Internationalstandardsarethecertificationbasis

    forinteroperabilityandinformationsecurity.Itisonlythisbasisthatwillena-

    bleuserstoacquireacomplete,reliablepictureofthevariouscloudofferings

    available.Asthenextstepweareplanningto incorporateCloudComputing

    intotheBSIsIT-Grundschutz(basic protection)approach.

    Itisonlywhentherelevantservicesareprovidedwithahighdegreeofse-

    curity that thepotential incloudsolutionssuchasflexibility,efficiency,re-

    ducedcostsandtheprovisionanduseofinformationtechnologywillreallybe

    abletobeexploited.

    Ihopeyoufindyourreadingextremelyrewarding.

    MichaelHange

  • 5The BSI Serving the Public

    TheBSIServingthePublic

    The Federal Office for Information Security (BSI), based in Bonn, was

    founded on January 1st 1991 and forms part of the Federal Ministry of the

    Interior.

    With,currently,around500employeesandabudgetof62millionEuros,

    theBSIisanindependent,neutralbodythatdealswithallissuesrelatingtoIT

    securityintheinformationsociety.

    As the central IT security provider for the federal government, the BSI

    operatesonbehalfofthegovernment,worksinpartnershipwiththecommer-

    cialsector,andprovidesinformationtothepublic.

    ThroughitsworkonbasicITsecurity,theBSI,asthenationalITsecurityau-

    thority,isresponsibleforoursocietyandis,therefore,akeypillarofdomestic

    securityinGermany.

  • 6The BSI Serving the Public

    TheBSIsobjectiveisthatinformationandcommunicationtechnologycan

    beusedsecurely inoursociety. ITsecurityshouldbetakenseriouslyand im-

    plemented responsibly. The security issues involved in IT systems andappli-

    cationsshouldbedealtwithup-front,atthedevelopmentstage.

    TheBSIaimsitsservicesatusersandmanufacturersofinformationtechnol-

    ogy.Thetargetgroupincludespublicauthoritiesatthenational,stateanddis-

    trictlevels,privateusersandcompanies.

    ThiswhitepaperonCloudComputingprovidesacompactoverviewofthe

    mainorganisational,personnel,infrastructuralandtechnicalinformationse-

    curitymeasuresforCloudComputingproviders.

  • 7Introduction

    1 Introduction

    1.1 Motivation

    CloudComputingiscurrentlyoneofthehottesttopicsininformationtech-

    nology(IT).However,itisnotsomuchthatthetermCloudComputingrepre-

    sentsahostofnewtechnologies,butratherthatthesetechnologiesarecom-

    binedandeffectivelyupgraded so that theyenablenew IT servicesandnew

    businessmodels.

    WithCloudComputing,aswithmanynewtechnologiesandservices,infor-

    mationsecurityanddataprotection issuesare intenselydebated,andexam-

    inedfarmorecriticallythanisthecasewithofferingsthathavebeenaroundfor

    awhile.Many surveysand studies reveal thatpotential customershavecon-

    cernsaboutinformationsecurityanddataprotectionwhichstandinthewayof

    awiderdeployment.Therequiredtruststillneedstobedevelopedifcloudof-

    feringsaretobetakenadvantageof.

    For thisreason, theBSIhasdrawnuprecommendations forsecureCloud

    Computingwhichareprimarilyaimedatcloudserviceproviders(CSP).These

    CSPshavethemeansandtheobligationtoadequatelyimplementinformation

    security.Theymayusethiswhitepaperasaguidelineforimplementingsecu-

    ritymeasures.Cloudusers,fortheirpart,whoareaffectedbytheserecommen-

    dationscanasktheCSPswhethertheyhavebeenimplemented.However,the

    initial step foranycloudcustomershouldbe toclarifywhatprotection their

    owndataandapplicationsrequire.Thiswill largelydeterminewhether,and

    upon which underlying conditions, business-related data and applications

    maybestoredinthecloud.

    ThewhitepaperprovidesanoverviewofthemainCloudComputingareas

    inwhichsecurityshouldbeimplemented.Notallthepointslistedareequally

    relevant to all cloud services. For example, since the threat profile differs in

  • 8Introduction

    some areas for private and public clouds, different security measures must

    sometimesbetaken.

    Thisdocumentdoesnotonlyexaminecloud-specificissues,butalsoexam-

    inesunderlyinginformationsecurityrequirements,sincetheseformthebasis

    onwhichallcloudservicesaretorest.Therecommendationshavebeenkept

    largelyabstract,withnodetailedinstructionsontheirimplementationbeing

    provided.Doingsowouldbebeyondtheremitofthedocumentandwouldnot

    allowforthediversityofcloudofferings.Assessingthesecurityofanyparticu-

    laroffering,therefore,mustalsobeundertakenonacase-by-casebasis.

    1.2 Objectives

    ThoughITservices fromthecloudarebecoming increasingly indemand

    around the world, almost every survey and study shows that there are also

    many concerns which discourage users away from using Cloud Computing

    services.Alackoffaithinthesecurityoftheservicesprovidedisfrequentlycit-

    edasbeingoneofthemainbarriers.Asthecentralinformationsecurityservice

    providerforthefederalgovernmentinGermany,theBSIfeels it is important

    thatitisactivelyinvolvedinshapingthedevelopmentphaseforcloudservices.

    Theprimaryobjectiveofthiswhitepaperistoprovideabasisfordiscussion

    betweenCSPsandcloudcustomers.Asafurtheraim,thepaperintendstopro-

    videthebasisforworkingout,basedonthisdiscussion,specificrecommenda-

    tionsastohowcompaniesandpublicbodiescanmakecloudservicessecure.

    Thewhitepaperisthefirststeptowardscreatingstandardsbasedonwhichthe

    securityofCloudComputingplatformscanbeverified.Therequirementsfor-

    mulated in thispaperwill continue tobedebatedand,wherenecessary, re-

    vised,andfurtherdetailswillbeworkedout.However,theaimisnottomake

    theguidelinesmorespecific.Theyare toretain theircurrentdepth,andany

    furtheradditionsanddetailsonthesubjectofCloudComputingwillbefedinto

    IT-Grundschutz,forexampleintheformofIT-Grundschutzmodulesorshort

    informations.ThereareplanstodevelopIT-Grundschutzmodulesforbothus-

  • 9Introduction

    ingandprovidingcloudservices.TheBSI100-2standardforintegratingcloud

    issuesintotheIT-Grundschutzmethodologyneedstobeadjusted,particularly

    intheareaofmodellingcomplex,virtualisedinformationnetworks.

    1.3 Target audience

    ThewhitepaperisaimedatITprofessionalsinvolvedinprovidingorusing

    cloudservices.Issuesofinformationsecuritywillbementionedinpassingand

    wea

Recommended

View more >