Security and Control in the Cloud

Please download to get full document.

View again

of 12
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report

School Work


Views: 7 | Pages: 12

Extension: PDF | Download: 0

Related documents
Security and Control in the Cloud
  This article was downloaded by: [Laurentian University]On: 09 October 2014, At: 19:57Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK Information Security Journal: A Global Perspective Publication details, including instructions for authors and subscription information: Security and Control in the Cloud Klaus Julisch a  & Michael Hall ba  IBM Research GmbH , Rüschlikon, Switzerland b  Forbes Sinclair , Madrid, SpainPublished online: 19 Nov 2010. To cite this article:  Klaus Julisch & Michael Hall (2010) Security and Control in the Cloud, Information Security Journal: AGlobal Perspective, 19:6, 299-309, DOI: 10.1080/19393555.2010.514654 To link to this article: PLEASE SCROLL DOWN FOR ARTICLETaylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) containedin the publications on our platform. However, Taylor & Francis, our agents, and our licensors make norepresentations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of theContent. Any opinions and views expressed in this publication are the opinions and views of the authors, andare not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon andshould be independently verified with primary sources of information. Taylor and Francis shall not be liable forany losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoeveror howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in anyform to anyone is expressly forbidden. Terms & Conditions of access and use can be found at  Information Security Journal: A Global Perspective , 19:299–309, 2010Copyright © Taylor & Francis Group, LLCISSN: 1939-3555 print / 1939-3547 onlineDOI: 10.1080/19393555.2010.514654 Security and Control in the Cloud Klaus Julisch 1 and MichaelHall 2 1 IBM Research GmbH,Rüschlikon, Switzerland 2 Forbes Sinclair, Madrid, Spain ABSTRACT  Cloud computing is a new IT delivery paradigm that offerscomputing resources as on-demand services over the Internet. Like all formsof outsourcing, cloud computing raises serious concerns about the security of the data assets that are outsourced to providers of cloud services. To addressthese security concerns, we show how today’s generation of information secu-rity management systems (ISMSs), as specified in the ISO / IEC 27001:2005,must be extended to address the transfer of security controls into cloud envi-ronments. The resulting  virtual ISMS   is a standards-compliant managementapproach for developing a sound control environment while supporting thevarious modalities of cloud computing.This article addresses chief security and / or information officers of cloudclient and cloud provider organizations. Cloud clients will benefit from our exposition of how to manage risk when corporate assets are outsourced tocloud providers. Providers of cloud services will learn what processes and con-trols they can offer in order to provide superior security that differentiates their offerings in the market. KEYWORDS  cloud computing, Security, ISMS, IS027001 Address correspondence toKlaus Julisch, IBM Research GmbH,Säumerstrasse 4, 8803 Rüschlikon,Switzerland. E-mail: 1. INTRODUCTION TO CLOUDCOMPUTING Cloud computing   is a new formula of delivering computing resources, not anew technology. Specifically, cloud computing provides computing resourcesas on-demand services that are hosted remotely, accessed over the Internet,and generally billed on a per-use basis (Chong & Carraro, 2006; Catteddu& Hogben, 2009; Datamonitor, 2009). There are three types of computingresources that have been provided in the cloud:ã  Software as a Service (SaaS) : This is application software that is hostedby third parties and provided as a service over the Internet. Examples of SaaS include Google Docs,, and Web mail services suchã  Platform as a Service (PaaS):  These are platforms consisting of devel-opment tools and a runtime environment. Cloud customers use thedevelopment tools to program their own applications against theApplication Programming Interface (API) of the runtime environment. 299    D  o  w  n   l  o  a   d  e   d   b  y   [   L  a  u  r  e  n   t   i  a  n   U  n   i  v  e  r  s   i   t  y   ]  a   t   1   9  :   5   7   0   9   O  c   t  o   b  e  r   2   0   1   4  ã Subsequently, the applications are deployed tothe runtime environment where they are exe-cuted. Examples of PaaS include Microsoft Azure,, and Google Apps.ã  Infrastructure as a Service (IaaS):  These are low-level computing resources such as virtual machinesor storage which are provided on-demand over the Internet. Examples include Amazon’s ElasticCompute Cloud (Amazon EC2) and Carbonite’sbackup service.Many additional examples of SaaS, PaaS, and IaaS ven-dors and offerings can be found in the cloud taxonomyby OpenCrowd (2009).Cloud computing is a type of outsourcing. As such,it is similar to classic information technology (IT) out-sourcing, where a client transfers the custody of parts of its information system to a service provider. The serviceprovider assumes responsibility for the client’s infor-mation system and operates it in accordance with thecontractual terms that the client and provider agreedupon (Cullen & Willcocks, 2003; Gewald & Helbig,2006). These contractual terms, which define the coop-eration between outsourcing clients and providers, arecalled  Service Level Agreements , or SLAs.The defining characteristic of classic IT outsourcing(compared to cloud computing) is that the outsourcingprovider offers a  customized and unique   service that doesexactly what the client requests at the client’s terms, ina  well-controlled and discrete   environment. Cloud com-puting, by contrast, offers highly standardized servicesthat are provided cheaply by serving multiple cus-tomers from a shared IT infrastructure (Brunette &Mogull, 2009; Datamonitor, 2009). Of course, cloudservices offer some degree of customizability, but cloudservices are basically commoditized “one-size-fits-all”offerings. Further, the use of a shared IT infrastruc-ture across clients destroys any clients’ ability to affordthe same level of control known from classic IToutsourcing.Cloud computing is a sizeable and rapidly growingmarket. According to International Data Corporation(IDC), a leading provider of the market intelligenceand advisory services, the worldwide market for cloudcomputing was approximately $17.4 billion in 2009and is estimated to reach $44.2 billion by 2013(Gens, Mahowald, & Villars, 2009). This rapid mar-ket growth is driven by the following benefits of cloudcomputing:ã  Low cost:  Typical enterprises dedicate 50–70% of their IT budgets to routine system maintenancetasks (Datamonitor, 2009; States & Lindquist, 2008).This overhead can be reduced by outsourcing non-strategic services to cloud providers, which use their scale economies and experience curve effects (Hax& Majluf, 1982) to provide commoditized servicesmore cheaply (Reeves, 2009A).ã  On demand:  In a recent Goldman Sachs (2009) sur-vey, 51% of respondents saw the key benefit of cloud computing in the ability to elastically scale tomeet peak workloads and future demand. A relatedbenefit is the usage-based pricing model where cus-tomers only pay for compute resources consumed(Datamonitor, 2009; Reeves, 2009A).ã  Short time-to-market:  It is faster to procurecloud services than develop the same functionalityin-house. The ability to deliver results  fast   is another benefit of cloud computing (Roth, 2008).Inhibitors to the adoption of cloud computinginclude security, business continuity and control con-cerns, reliability concerns, fears of vendor lock-in,migration costs, reduced customizability, integrationdifficulties, as well as uncertainties about the businesscase and the legal implications (Catteddu & Hogben,2009; Datamonitor, 2009; Roth, 2008; Reeves, 2009A).This article addresses the security and control concernsand shows how information security management sys-tems (ISMSs) can be extended to overcome them. 2. STATE OF THE ART IN CLOUDSECURITY Section 1 defined cloud computing as a new ITdelivery model. This definition by itself does not implyany new security challenges. For example, an organiza-tion could task its internal IT departments to deliver all computing resources as cloud services. From a secu-rity and control point of view, this is very much akinto classic in-house IT delivery. New security challengesarise, however, in the  public cloud   (Brunette & Mogull,2009; Reeves, 2009A) where a cloud provider offerscloud services to any (paying) client. Some of theseclients may be internal business units of the cloudprovider, but most clients will be external legal entities,for example, other companies. The defining character-istic of public clouds is that SLAs are used to stipulatethe legal accountability between cloud providers and K. Julisch and M. Hall   300    D  o  w  n   l  o  a   d  e   d   b  y   [   L  a  u  r  e  n   t   i  a  n   U  n   i  v  e  r  s   i   t  y   ]  a   t   1   9  :   5   7   0   9   O  c   t  o   b  e  r   2   0   1   4  their clients. This article focuses on security in pub-lic clouds, and the term “cloud” is henceforth usedsynonymously with “public cloud.”In using (public) cloud services, a Cloud Client (CC)places select organizational assets in the custody of aCloud Provider (CP). In doing so, the CC cedes con-trol over these assets to the CP, and yet the CC retainsaccountability for the security and regulatory compli-ance of these assets. This creates risks, which havemade some enterprises hesitant to sign up for cloudservices (Catteddu & Hogben, 2009). CPs understandthis problem and have responded by offering SAS-70,ISO-27001, or other security certifications to “proof”the quality of their risk-mitigating controls (Salesforce,2008; Schadler, 2009; Amazon, 2010). Further, someCPs such as or Google offer Service LevelAgreements to facilitate a risk transfer (Intacct, 2010;Google, 2010A; Amazon, 2008). All of these schemesare important, but taken in isolation, they have impor-tant shortcomings:1. Formal Registrar Security Certification audits havethe problem of being infrequent (typically everythree years). The CC therefore receives infrequent“snap shots” of the CP’s control environment andhas to trust that everything is “OK” between cer-tifications. This setup is increasingly unacceptableto many CCs who, at any moment, may be heldaccountable by their stakeholders for the securityand compliance of their own information systems.2. It is important to understand that “SAS 70 certifica-tion” is  not   a stamp of approval (even though it issometimes marketed that way). This is because SAS70 is a framework for conducting audits. It does notcertify any specific controls or control objectives.Rather, each CP defines  for itself    the controls andcontrol objectives that it wants to be certified for (AICPA, 1992). These controls and control objec-tives are documented in the SAS 70 audit report.Prospective clients should always consult this report(rather than relying on the “SAS 70 compliant”label) to determine if the controls of a CP meet their requirements (Brunette & Mogull, 2009). SSAE 16and ISAE 3402, the successor standards of SAS 70,improve on these issues by requiring the CP to morefully disclose its system and control environment(Thompson, Griffin, & Bialick, 2010).3. The SLAs offered by CPs tend to be conser-vative in the sense that they offer only smallpenalty payments and their commitments arefocused on availability rather than data integrityor confidentiality (Amazon, 2009; Google, 2010A;Maiwald, 2009; Mather, Kumaraswamy, & Latif,2009). Further, cloud-SLAs are typically standard-ized and unable to meet the specific security require-ments of individual customers (Goertzel et al.,2009).4. SLAs are an intrinsically imperfect risk treatmentstrategy. In theory, they transfer the risk to theCP. In practice, however, the CPs’ responsibilityends with a (frequently small) penalty payment andthe potential loss of the customer(s) affected bya control failure. The CC, by contrast, remainsaccountable towards its own customers, regulators,and directors for any failures, and there are fewlimits to the cost that such accountability can entail.While generally insufficient by themselves, SLAs,certifications, and audits are important building blocksof cloud security. In this article, we show how theseand other risk treatment methods can be combinedinto a single consistent framework, called the  virtual ISMS.  An ISMS is the set of processes, policies, andmechanisms that an organization uses to establish,implement, operate, monitor, and improve informa-tion security (ISO, 2005A). A  virtual ISMS   extends thisconcept so it becomes suitable for virtual enterpriseswhere IT services are partially outsourced to CPs.This article is targeted at CIOs and CSOs of cloudclient and cloud provider organizations. CCs will findthat the virtual ISMS offers a structured way for man-aging risk and protecting corporate assets that areoutsourcedtoCPs.ThisbenefitissharedbyCPs.AsCPsuse shared and standardized infrastructures to deliver cloud services cheaply, they cannot offer customizedprovisions to individual clients. Using the virtual ISMSto manage security in a standardized and scalable way isof real benefit to CPs. In addition, CPs will draw valuefrom our discussion of ways to improve security andthereby differentiate their offering in the marketplace. 3. THE “CONVENTIONAL” ISMS The ISO / IEC Standard 27001:2005 defines anISMS as the set of processes, policies, and mecha-nisms that are used to establish, implement, operate,monitor, review, maintain, and improve informationsecurity (ISO, 2005A). The standard further prescribes 301  Security and Control in the Cloud     D  o  w  n   l  o  a   d  e   d   b  y   [   L  a  u  r  e  n   t   i  a  n   U  n   i  v  e  r  s   i   t  y   ]  a   t   1   9  :   5   7   0   9   O  c   t  o   b  e  r   2   0   1   4
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks