Security Recommendations Cloud Computing Providers

Download Security Recommendations Cloud Computing Providers

Post on 09-Feb-2016

32 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Cloud COmputing

TRANSCRIPT

  • White Paper

    Security Recommendations for Cloud Computing Providers(Minimum information security requirements)

    www.bsi.bund.de

  • 1Contents

    Contents

    Preamble 3

    TheBSIServingthePublic 5

    1 Introduction 7

    1.1 Motivation 7

    1.2 Objectives 8

    1.3 Targetaudience 9

    1.4 Methodofapplication 9

    1.5 DefiningthescopeoftheBSIsecurityrecommendations 10

    2 CloudComputingbasics 12

    2.1 WhatisCloudComputing? 12

    2.2 Howdoesapublicclouddifferfromaprivatecloud? 14

    2.3 Whichdifferentservicemodelsareavailablein

    CloudComputing? 15

    2.4 HowdoesCloudComputingdifferfromtraditional

    IToutsourcing? 16

    2.5 StrategicplanningofCloudComputingservicesbyusers 17

    3 Securitymanagementbytheprovider 19

    4 Securityarchitecture 23

    4.1 Datacentresecurity 23

    4.2 Serversecurity 25

    4.3 Networksecurity 27

    4.4 Applicationandplatformsecurity 29

    4.5 Datasecurity 32

    4.6 Encryptionandkeymanagement 34

    5 IDandrightsmanagement 36

  • 2Contents

    6 Controloptionsforusers 39

    7 Monitoringandsecurityincidentmanagement 40

    8 Businesscontinuitymanagement 43

    9 Portabilityandinteroperability 46

    10 SecuritytestingandAudit 48

    11 Requirementsofpersonnel 50

    12 Drawingupagreements 53

    12.1 Transparency 53

    12.2 Servicelevelagreements(SLA) 55

    13 Dataprotectionandcompliance 57

    13.1 Dataprotection 57

    13.2 Compliance 59

    14 Prospects 62

    15 Glossary 64

    16 References 66

    17 Acknowledgements 68

  • 3Preamble

    Preamble

    Minimised risk in Cloud Computing

    CloudComputinghasthelong-termpotential

    tochangethewayinformationtechnologyispro-

    videdandused.Butinformationsecurityisakey

    factorifITservicesfromthecloudaretobeused

    reliably.Tocreateasustainablebasis in termsof

    security inCloudComputing, inSeptember2010

    theGermanFederalOffice for InformationSecu-

    rity (German abbreviation BSI) promoted an ex-

    changeofpracticalexperience.Theprovidersof

    relevantsolutions,theirusersandsecurityexperts

    wereinvitedtodebatethewhitepaperpublishedbytheBSIwhichdefinedthe

    minimumrequirementsforinformationsecurityinCloudComputing.

    Itisnotonlythetraditionalattackscenariosthatarerelevanttocloudsys-

    tems.Therearealsospecificcharacteristics,suchasthefactthatmultipleusers

    shareacommonITinfrastructure.ThedynamicsharingoftheITserviceacross

    multiplelocationsalsorepresentsaparticularchallenge.

    ThesectorsmanyresponsestothisBSIinitiativeshowedthatthestrategyof

    havingajoint,practicaldiscussionbetweenprovidersanduserswasacorrect

    onethewhitepaperwasgenerallywellreceivedbythoseinvolvedinthemar-

    ket. This is evidencedby themanyqueriesandnumerous constructive com-

    ments.Theoutcomesfromthatdiscussionhavenowbeendocumentedinthis

    paper.

    TheBSI,workingwiththoseinvolved,aimstodevelopreasonable,adequate

    securityrequirementsforCloudComputingtoensurethatinformation,appli-

    cationsandsystemsareprotected.Wehavecomemuchclosertorealisingthis

  • 4Preamble

    goal. Theminimum requirements described below are scalable in terms of

    availabilityandconfidentiality.Theyprovideamethodologicalstartingpoint,

    fromwhichotherissuescanbeintegratedandthenadjustedtochangingcir-

    cumstancesonanongoingbasis. Furthermore, theyareagoodbasis forde-

    batesatinternationallevel.Internationalstandardsarethecertificationbasis

    forinteroperabilityandinformationsecurity.Itisonlythisbasisthatwillena-

    bleuserstoacquireacomplete,reliablepictureofthevariouscloudofferings

    available.Asthenextstepweareplanningto incorporateCloudComputing

    intotheBSIsIT-Grundschutz(basic protection)approach.

    Itisonlywhentherelevantservicesareprovidedwithahighdegreeofse-

    curity that thepotential incloudsolutionssuchasflexibility,efficiency,re-

    ducedcostsandtheprovisionanduseofinformationtechnologywillreallybe

    abletobeexploited.

    Ihopeyoufindyourreadingextremelyrewarding.

    MichaelHange

  • 5The BSI Serving the Public

    TheBSIServingthePublic

    The Federal Office for Information Security (BSI), based in Bonn, was

    founded on January 1st 1991 and forms part of the Federal Ministry of the

    Interior.

    With,currently,around500employeesandabudgetof62millionEuros,

    theBSIisanindependent,neutralbodythatdealswithallissuesrelatingtoIT

    securityintheinformationsociety.

    As the central IT security provider for the federal government, the BSI

    operatesonbehalfofthegovernment,worksinpartnershipwiththecommer-

    cialsector,andprovidesinformationtothepublic.

    ThroughitsworkonbasicITsecurity,theBSI,asthenationalITsecurityau-

    thority,isresponsibleforoursocietyandis,therefore,akeypillarofdomestic

    securityinGermany.

  • 6The BSI Serving the Public

    TheBSIsobjectiveisthatinformationandcommunicationtechnologycan

    beusedsecurely inoursociety. ITsecurityshouldbetakenseriouslyand im-

    plemented responsibly. The security issues involved in IT systems andappli-

    cationsshouldbedealtwithup-front,atthedevelopmentstage.

    TheBSIaimsitsservicesatusersandmanufacturersofinformationtechnol-

    ogy.Thetargetgroupincludespublicauthoritiesatthenational,stateanddis-

    trictlevels,privateusersandcompanies.

    ThiswhitepaperonCloudComputingprovidesacompactoverviewofthe

    mainorganisational,personnel,infrastructuralandtechnicalinformationse-

    curitymeasuresforCloudComputingproviders.

  • 7Introduction

    1 Introduction

    1.1 Motivation

    CloudComputingiscurrentlyoneofthehottesttopicsininformationtech-

    nology(IT).However,itisnotsomuchthatthetermCloudComputingrepre-

    sentsahostofnewtechnologies,butratherthatthesetechnologiesarecom-

    binedandeffectivelyupgraded so that theyenablenew IT servicesandnew

    businessmodels.

    WithCloudComputing,aswithmanynewtechnologiesandservices,infor-

    mationsecurityanddataprotection issuesare intenselydebated,andexam-

    inedfarmorecriticallythanisthecasewithofferingsthathavebeenaroundfor

    awhile.Many surveysand studies reveal thatpotential customershavecon-

    cernsaboutinformationsecurityanddataprotectionwhichstandinthewayof

    awiderdeployment.Therequiredtruststillneedstobedevelopedifcloudof-

    feringsaretobetakenadvantageof.

    For thisreason, theBSIhasdrawnuprecommendations forsecureCloud

    Computingwhichareprimarilyaimedatcloudserviceproviders(CSP).These

    CSPshavethemeansandtheobligationtoadequatelyimplementinformation

    security.Theymayusethiswhitepaperasaguidelineforimplementingsecu-

    ritymeasures.Cloudusers,fortheirpart,whoareaffectedbytheserecommen-

    dationscanasktheCSPswhethertheyhavebeenimplemented.However,the

    initial step foranycloudcustomershouldbe toclarifywhatprotection their

    owndataandapplicationsrequire.Thiswill largelydeterminewhether,and

    upon which underlying conditions, business-related data and applications

    maybestoredinthecloud.

    ThewhitepaperprovidesanoverviewofthemainCloudComputingareas

    inwhichsecurityshouldbeimplemented.Notallthepointslistedareequally

    relevant to all cloud services. For example, since the threat profile differs in

  • 8Introduction

    some areas for private and public clouds, different security measures must

    sometimesbetaken.

    Thisdocumentdoesnotonlyexaminecloud-specificissues,butalsoexam-

    inesunderlyinginformationsecurityrequirements,sincetheseformthebasis

    onwhichallcloudservicesaretorest.Therecommendationshavebeenkept

    largelyabstract,withnodetailedinstructionsontheirimplementationbeing

    provided.Doingsowouldbebeyondtheremitofthedocumentandwouldnot

    allowforthediversityofcloudofferings.Assessingthesecurityofanyparticu-

    laroffering,therefore,mustalsobeundertakenonacase-by-casebasis.

    1.2 Objectives

    ThoughITservices fromthecloudarebecoming increasingly indemand

    around the world, almost every survey and study shows that there are also

    many concerns which discourage users away from using Cloud Computing

    services.Alackoffaithinthesecurityoftheservicesprovidedisfrequentlycit-

    edasbeingoneofthemainbarriers.Asthecentralinformationsecurityservice

    providerforthefederalgovernmentinGermany,theBSIfeels it is important

    thatitisactivelyinvolvedinshapingthedevelopmentphaseforcloudservices.

    Theprimaryobjectiveofthiswhitepaperistoprovideabasisfordiscussion

    betweenCSPsandcloudcustomers.Asafurtheraim,thepaperintendstopro-

    videthebasisforworkingout,basedonthisdiscussion,specificrecommenda-

    tionsastohowcompaniesandpublicbodiescanmakecloudservicessecure.

    Thewhitepaperisthefirststeptowardscreatingstandardsbasedonwhichthe

    securityofCloudComputingplatformscanbeverified.Therequirementsfor-

    mulated in thispaperwill continue tobedebatedand,wherenecessary, re-

    vised,andfurtherdetailswillbeworkedout.However,theaimisnottomake

    theguidelinesmorespecific.Theyare toretain theircurrentdepth,andany

    furtheradditionsanddetailsonthesubjectofCloudComputingwillbefedinto

    IT-Grundschutz,forexampleintheformofIT-Grundschutzmodulesorshort

    informations.ThereareplanstodevelopIT-Grundschutzmodulesforbothus-

  • 9Introduction

    ingandprovidingcloudservices.TheBSI100-2standardforintegratingcloud

    issuesintotheIT-Grundschutzmethodologyneedstobeadjusted,particularly

    intheareaofmodellingcomplex,virtualisedinformationnetworks.

    1.3 Target audience

    ThewhitepaperisaimedatITprofessionalsinvolvedinprovidingorusing

    cloudservices.Issuesofinformationsecuritywillbementionedinpassingand

    weassumeabasicunderstandingofinformationsecurityatthetechnical,in-

    frastructural,personnelandorganisationlevels.

    TherecommendationsareprimarilyaimedatCSPsprovidingtheseservices

    tocompaniesandpublicbodies,andatprofessionalusers.Theyarenotaimed

    directly at private users who use specific cloud services, but theymay help

    guidesuchusersonsecurityissues.

    1.4 Method of application

    Thepoints listedbelow show,atanabstract level,which securitymeas-

    uresaCSPshouldimplement.Bothastructuredprocessandaneffectivesys-

    temformanaginginformationsecurityareprerequisitesifanadequatelevel

    ofsecurityistobeachievedandmaintainedinacompanyorpublicbody.Rel-

    evantnorms,suchasISO27001andtheBSI100-2standardontheIT-Grund-

    schutzmethodology,describehowafunctioningsystemofmanaginginfor-

    mationsecuritycanbebuiltandwhatitshouldinclude.ForCloudComputing

    servicestobeprotected,thethreatsthatarespecifictoCloudComputingalso

    need tobeanalysed,andappropriate securitymeasuresmustbe identified

    andimplemented.

    EachCSPmust, therefore,produceariskanalysis identifyingthecurrent

    and relevant threats to the services they operate,which impacts theymight

    haveandhowtheidentifiedrisksaretobedealtwith,forexamplethroughspe-

    cificsecuritymeasures.Toalesserdegree,cloudusersalsoneedtoassessthe

    risks thatmay arise for themby storing data or running applications in the

  • 10

    Introduction

    cloud.Thesecurityrecommendationspresentedinthiswhitepaperconstitute

    aframeworkforaddressingtheCloudComputingareasthattheBSIfeelsare

    critical.

    WhenaCSPisconsideringtheriskfactors,theyusuallyfacethechallengeof

    notknowinginadvancethevalueortheprotectionrequirementofthecustom-

    ersdata.Onesolutionwouldbetoofferahighorveryhighprotectionlevelfor

    allcustomersandtheirdata.Experienceshows,however,thatthisistooexpen-

    sivefordatawithanormalprotectionrequirement.CSPsshouldaddresstheis-

    sueofinformationsecuritywiththeircustomersatanearlystage.Information

    securityisoneofthemaindecision-makingcriteriathatcustomershavewhen

    selecting cloud service providers and specific cloud services. So CSPs should

    demonstratetotheircustomershowwelltheyaresetupintermsofinforma-

    tionsecurity.Thisincludesshowingtheircustomerswhichsecuritymeasures

    areastandardpartoftheirofferingsandareavailableasoptions,buttheyalso

    needtopointouttocustomerswhichsecuritymeasurestheythemselvesneed

    totake.

    1.5 Defining the scope of the BSI security recommendations

    Thefocusofthisdocumentisonsecurityissuesinthecloud-basedprocess-

    ingof informationwithanormal tohighprotectionrequirement,e.g.confi-

    dentialcompanyandpersonaldataworthyofprotection.Thespecifyingofthe

    protectionrequirementisbasedontheprotectionrequirementcategoriesas

    definedinIT-Grundschutz(seeBSIstandard100-2[1]).Thisdocumentdoesnot

    explicitlyexaminetheprotectingofdatathathasbeenratedasnationalclassi-

    fiedinformation.

    Beingthecorevaluesthatneedtobeprotected,confidentialityandavaila-

    bilityaretheprioritieswhendrawinguptheseguidelines.Thereforethesecu-

    rityrecommendationsaredividedintoavailabilityandconfidentiality,while

    integrityasacorevalueisnotgivenspecificconsideration.

    Thesecurityrecommendationsprovidedareassignedtothreecategories:

  • 11

    Introduction

    Category B (=basic requirement) includes those requirementswhicharebasicforallcloudserviceproviders.

    Category C+ (=high confidentiality) includes additional requirementswheredatawithahighprotectionrequirementintermsofconfidentiality

    istobeprocessed.

    Category A+ (=highavailability)includesadditionalrequirementswhereserviceswithahighprotectionrequirementintermsofavailabilityaretobe

    considered.

    Inthetablesthatprovideanoverviewofthesecurityrequirementsinthe

    variousareas,therearealsoarrowsshowinghowtheBSIratesthethreatlevel

    ineachareaforprivateandpublicclouds.Aright-pointingarrow()indicatesanaveragethreatlevel,whileanupward-pointingarrow()indicatesahighthreatlevel.

    AlltherequirementslistedapplytoIaaS,PaaSandSaaSunlessotherwisein-

    dicated.

    GiventhedynamicdevelopmentsintheareaofCloudComputing,thesecu-

    rityrecommendationslistedbelowwillalsoneedtoberegularlyreviewedand

    adjusted, and additional requirementsmay need to be added.Updated ver-

    sions of thiswhitepaperwill bepublishedon theBSIsweb serverwww.bsi.

    bund.de.

  • Kopfzeile

    12

    2 CloudComputingbasics

    2.1 What is Cloud Computing?

    NodefinitionofthetermCloudComputinghasyetsucceededinbecom-

    inguniversallyacceptable.Definitionsareoftenusedinpublicationsandpres-

    entationsthatareextremelysimilartoeachotherwhilenonethelessdiffering.

    OnedefinitionthatisfrequentlydrawnuponbyexpertsisthatoftheUSAsNa-

    tionalInstituteofStandardsandTechnology(NIST)[2],whichisalsousedby

    ENISA[3]:

    CloudComputingisamodelforenablingubiquitous,convenient,on-de-

    mandnetworkaccess toa sharedpoolof configurable computing resources

    (e.g.networks,servers,storage,applicationsandservices)thatcanberapidly

    provisionedandreleasedwithminimalmanagementeffortorserviceprovider

    interaction.

    UndertheNISTdefinition,thefivecharacteristicsofacloudservicearelist-

    edbelow:

    On-demand self service: Resources (e.g. server time, storage) are provi-sionedunilaterallywithoutinteractingwiththeserviceprovider.

    Broadnetworkaccess:Theservicesareavailableoverthenetwork,accessedthroughstandardmechanismsandnottiedtoaparticularclient.

    Resource pooling: The providers resources are pooled to servemultipleconsumers (multi-tenantmodel). The users do not knowwhere the re-

    sourcesarelocatedbuttheymaybeabletocontractuallyspecifythestor-

    agelocation,e.g.theregion,countryordatacentre.

    Rapidelasticity:Theservicescanberapidlyandelasticallyprovisioned,insomecasesevenautomatically.Totheconsumer,therefore,theresources

    appeartobeunlimited.

    Cloud Computing basics

  • 13

    Cloud Computing basics

    Measuredservices:Useofresourcescanbemeasuredandmonitoredandsimilarlyprovidedtothecloudusersinameasuredway.

    Thisdefinition reflects thevisionofCloudComputingalthough the indi-

    vidualpointsshouldnotbeviewedintoodogmaticamanner.Forexample,in

    thecaseofprivateclouds, theremaybenorequirementatall forubiquitous

    availability.

    AccordingtotheCloudSecurityAlliance(CSA),CloudComputingalsohas

    thefollowingcharacteristics inadditiontotheelasticityandselfservicere-

    ferredtoabove[4]:

    Service oriented architecture (SOA) is one of the basic requirements forCloud...

Recommended

View more >