security management standards in cloud computing

information security management standards (like ISO270001) to fit better the situation of cloud computing service providers. February 2013 2.0 Initial publication of PCI DSS v2.0 Cloud Computing Guidelines, produced by 2013 Cloud SIG. The next section talks about certain standards, which discuss best practices, standards, challenges and try to address the above issues in the best possible manner. The client uses the cloud service for what purpose. The scope of any additional services the CSP is providing to pro-actively manage the client's compliance (for example, additional managed security services). "For example, if payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the CSP's infrastructure and the client's usage of that environment". They are targeted at general management, cyber security and IT security practitioners. The challenges are classified based on whether the participant is CSP or CSC [X1601]. "Cloud Service Customer: The cloud service customer should review the proposed demarcation of information security responsibilities and confirm it can accept its responsibilities" [ISO27001]. The more security controls the CSP is responsible for, the greater the scope of the CDE will potentially be, thereby increasing the complexity involved in defining and maintaining CDE boundaries. Identity management is important in authentication, authorization and access control. This statement also contains references to other resources, including the National Institute of Standards and Technology (NIST), National Security Agency (NSA), Department of Homeland Security (DHS), International Organization for Standardization (ISO), Center for Internet Security (CIS), and other industry organizations (e.g., Cloud Security Alliance). Distributed Management Task Force (DMTF). Scoping Considerations:Organizations looking to store, process, or transmit payment card data in a cloud environment should clearly understand the impact that the cloud will have on their PCI DSS scope [PCI13]. It helps create standards for management of virtualized environments, managing life cycle of a virtual computer system, discovering inventory virtual computer systems and monitoring virtual systems for health and performance. The five standards described below discuss in detail the breadth of issues they cover with regard to cloud security. 285-292, 2010. Data isolation amongst users is important. 16 NIST Special Publication 800-204 Security Strategies for Microservices-based Application Systems (opens new window) provides additional technical details for financial institutions considering the use of microservices. From the perspective of a CSP, the CSCs may be able to sue them if their privacy rights are violated. Are there multiple copies of the data that is stored? Data isolation may be provided physical or virtually. Cloud security consists of a set of policies, controls, procedures and technologies that work together to protect cloud-based systems, data and infrastructure. ... 1253, and the Federal Information Security Management . Security breaches involving cloud computing services highlight the importance of sound security controls and management’s understanding of the shared responsibilities between cloud service providers and their financial institution clients. When using a CASB, your security management can consist of the following primary tasks: This oversight and monitoring can include evaluating independent assurance reviews (e.g., audits, penetration tests, and vulnerability assessments), and evaluating corrective actions to confirm that any adverse findings are appropriately addressed. The challenges arise in addressing issues such as data ownership and access control. Ambiguity in responsibility: A CSC uses services based on different service categories as well as different deployment models. The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section. Security challenges for Cloud Service Customers: This clause describes the challenges that affect the CSCs directly. Security challenges for cloud service providers: This clause describes the challenges that affect the CSPs. The Statement categorizes risk management practices into the following sections: Governance; Cloud Security Management Additional information on general third-party risk management and outsourcing practices is available in the FFIEC Information Technology Examination Handbook’s “Outsourcing Technology Services” booklet and other documents published by FFIEC members. Securing the host from containers and vice versa. Regardless of the environment or service model used, the financial institution retains overall responsibility for the safety and soundness of cloud services and the protection of sensitive customer information.9. Cloud computing environments are enabled by virtualization 4 technologies, which allow cloud service providers to segregate and isolate multiple clients on a … An important consideration therefore is that before migrating payment card operation system to a cloud, the client evaluates clients needs. Privacy ensures that data, personal information and identity of a CSC must not be revealed to unauthorized users. The features of cloud computing such as speed, portability, performance improvement and utilization of shared resources have allowed the use of cloud computing to spread rapidly. Organizations tend to have their own identity management system. DoD Cloud Computing SRG v1r3 DISA Risk Management, Cybersecurity Standards 6 March, 2017 Developed by DISA for DoD UNCLASSIFIED iv 5.1.2 DoD FedRAMP+ Security Controls/Enhancements..... 44 5.1.3 Parameter Values for Security Controls and Enhancements ..... 47 8 NIST defines a hypervisor as the virtualization component that manages the guest operating systems (OSs) on a host and controls the flow of instructions between the guest OSs and the physical hardware. 3. Information. A participant is not allowed to access data of another party unless authorized to do so. Hence, the security practices must be continually revised to keep it updated and efficient. Ongoing oversight and monitoring of a financial institution’s cloud service providers are important to gain assurance that cloud computing services are being managed consistent with contractual requirements, and in a safe and sound manner. Availability is lost when there is a denial of service attack launched on a service. However, if there are no multiple copies of data, then an attacker that has hijacked a session or gained privileged access, could request for the data to be destroyed and all data will be lost [Hocenski10, Wiki]. The contractual agreement between the financial institution and the cloud service provider should define the service level expectations and control responsibilities for both the financial institution and provider. April Updated PCI SSC Guidelines for Secure Cloud Computing, produced 2018 3.0 by 2017 Cloud SIG. Thus, for implementing ITIL a detailed analysis of existing processes along with gaps in relation to the ITIL framework and level of process integration would be needed. This is because each contract may be in different frameworks. Download the guidelines: These guidelines were developed by the Department of Premier and Cabinet Cyber Security Unit for use by Victorian Governme… There must be end-to-end encryption (secure encrypted channels), client and server authentication and no data leakage. The standard suggests the following cloud computing security capabilities to mitigate the security threats discussed in section 2 and the security challenges discussed above [X1601]. The Federal Financial Institutions Examination Council (FFIEC) on behalf of its members1 is issuing this statement to address the use of cloud computing2 services and security risk management principles in the financial services sector. The term "Cloud computing" came into existence to define the change that occurs when applications and services are moved into the Internet "cloud". This anti-malware, using a cloud delivery model updates the anti-malware signature at client's system. This may result in jurisdictional conflict. A function of the hypervisor is to logically separate virtual machines from each other in the virtual network. The use of non-standard functions and cloud framework makes the CSP non-inter-operable with other CSPs and also leaves CSC open to security attacks. "For example, in a private-cloud deployment, an organization could either implement adequate segmentation to isolate in-scope systems from other systems and services, or they could consider their private cloud to be wholly in scope for PCI DSS. It is essential that CSPs maintain all data of a CSC confidential from other users, as it moves between the communication channels. Portability provides a CSC the freedom of migrating from one CSP to another CSP and reversibility refers to the ability of a CSC to remove its data from cloud back to its non-cloud storage. This industry standard management framework provides guidance for planning and implementing a governance program with sustaining management processes that protect information assets and thus provide security. The standard discusses the security challenges based on the nature of the role that an individual or an organization plays in the cloud computing paradigm. Access insecurity : Due to the distributed and shared nature of a cloud, accessing cloud services may also pose threats to the CSCs. Carelessness of one such employee can lead to compromising of the CSP's administrative credentials and may allow an attacker to gain complete control of the cloud [X1601]. 19 NIST SP 800-190 Application Container Security Guide (opens new window). This process includes collection, handling, storing and deletion of private data. Especially in a SaaS or PaaS model, a majority of the system level logging and auditing is under the control of the CSP. This standard is yet to be launched in the market. One important aspect of ITIL, pertaining to cloud computing, is continuously changing organizations and information systems [Fry]. The code of practice provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002, in the cloud computing context. It helps enhance customer experience as it provides customers with portability, platform independence, verification, signing, versioning, and licensing terms [OVF2]. The TC identifies gaps in existing identity management standards and investigates the need for profiles to achieve interoperability within current standards. We skip technical standards on and below the transport layer (i.e. It exists on the premises of the cloud provider.”. Compatibility : Storage services provided by one vendor may not be compatible with those provided by another vendor. Availability : Availability is an important part of any system. Below, we discuss some of these in detail. Application security also involves an application firewall for monitoring inbound and outbound traffic to the cloud. Risk management expectations for the management of relationships involving third parties (such as third-party cloud computing services) are outlined in FFIEC members’ respective guidance and the Information Security Standards. The features that make cloud-computing stand apart from other non-cloud techniques also make it susceptible to many attacks and it has to deal with many security issues. The five standards described below discuss in detail the breadth of issues they cover with regard to cloud security. In the absence of this, an attacker can create a malicious application, self-sign the application and put it up on the cloud for naive users to use them. When a CSC chooses to move its workload from one CSP to another, it may have to go through a tedious process of ensuring compatibility and compliance again so as to match with the infrastructure, services and terms and conditions of the new CSP. Security as a Service, or SecaaS, forms an integral part of the security of the cloud. Wrongful use of administrative credentials : A CSP needs to give a cloud's administrative access to a CSC to some extent so that a CSC can manage its data on the cloud. The IEEE Standards Association (IEEE-SA) is a leading consensus building organization that nurtures, develops and advances global technologies, through IEEE. OVF 2.0 was released in January 2013 [OVF2]. Fears over cloud security persist with hackers obtaining user information available online for notorious purposes. FFIEC Information Technology Examination Handbook (opens new window), FFIEC “Outsourced Cloud Computing” (July 10, 2012) (opens new window), NIST 800-144: Guidelines on Security and Privacy in Public Cloud Computing (opens new window), NIST 800-145: The NIST Definition of Cloud Computing (opens new window), NIST 800-146: Cloud Computing Synopsis and Recommendations (opens new window), NIST 800-125: Guide to Security for Full Virtualization Technologies (opens new window), NIST 800-125A Rev.1: Security Recommendations for Server-based Hypervisor Platforms (opens new window), NIST Special Publication 800-125B: Secure Virtual Network Configuration for Virtual Machine (VM) Protection (opens new window), NIST Special Publication 800-190: Application Container Security Guide (opens new window), Mitigating Cloud Vulnerabilities (opens new window), Microsoft Office 365 Office Security Observations (opens new window), Cloud Security Guidance (opens new window), The Basics of Cloud Computing (opens new window), Federal Risk and Authorization Management Program (FedRAMP) (opens new window), Center for Internet Security (CIS) Controls v.7 (Control 7) (opens new window), Cloud Security Alliance (opens new window), Institute of Electrical and Electronics Engineers (IEEE) Cloud Computing Standards (opens new window), International Organization for Standardization (ISO) (opens new window). We started our discussion with ITIL, which describes best practices and guidelines that define an integrated, process-based approach for managing information technology services. Due diligence and sound risk management practices over cloud service provider relationships help management verify that effective security, operations, and resiliency controls are in place and consistent with the financial institution’s internal standards. 10 Developed by the AICPA, system and organization controls (SOC) reviews refer to the audits of system-level controls of a third-party service provider. For the sake of brevity Data Security : Enterprises that use cloud services must be sure that their data is protected wherever it goes. Data isolation, protection and privacy protection: Data isolation: It refers to preventing access and visibility of one party's data to another party in the shared environment. In the process the SecaaS functionality is not necessarily reviewed to verify that it meets the applicable requirements. Different models of cloud computing leads to variation in the amount of responsibility taken by the CSP and by the CSC. Cloud Security: A Comprehensive Guide to Secure Cloud Computing ... Journal of information, control and management systems, vol. Next we discuss the threats that are specific to cloud service providers (CSP) and cloud service customers (CSC). This leakage may violate the CSC's copyrights and may result in the disclosure of CSC's private data. 4. technologies, which allow cloud service providers to segregate and isolate multiple clients on a common set of physical or virtual hardware. What scope of PCI DSS requirements is the client outsourcing to the CSP. The NIST Cloud Computing Standards Roadmap Working Group (CCSRWG) has surveyed the existing standards landscape for interoperability, performance, portability, security, and accessibility standards / models / studies / use cases / conformity assessment programs, etc., relevant to cloud computing. It is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. The ambiguity as to whether a CSP or a CSC should adhere to a given responsibility varies with change in jurisdictions and can be vague at international level. CSCs must have regular and predictable access to their data and applications [Shahed09, Wiki]. It provides expertise specifically for Cloud Infrastructure Management Interface (CIMI) specification. This feature makes the CSPs vulnerable to many security issues. Realization of security requirements:"Security requirements are usually defined in the SLA as well as in other external requirements, which are specified in underpinning contracts, legislation, and internally or externally imposed policies". Data exposure : The data of various customers is stored in single cloud. Figure 1: ITIL life cycle in an organization. If a CSP does not ensures the destruction of data beyond the retention period, it may result in exposure of private and confidential data. Ensuring the integrity of the data (transfer, storage, and retrieval) really means that just the data is changed only in response to authorized transactions. This also includes the threats that affect more than one participant of the cloud service. OVF 2.0 has a huge impact mainly attributed to its ability to include support for network configuration. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, The CSP validates which service and system components within its own operations. Are there multiple copies of the keys? ITIL gives a comprehensive explanation pertaining to major IT practices with detailed checklists, tasks, and procedures that can be modified and adopted to any IT organization. These guidelines identify the procedures and responsibilities in the engagement and management of cloud computing services. NIST SP 800-190 Application Container Security Guide (opens new window) states “The term is meant as an analogy to shipping containers, which provide a standardized way of grouping disparate contents together while isolating them from each other.”. Financial institutions use private cloud computing environments,5  public cloud computing environments,6 or a hybrid of the two. According to the memorandum, the Federal Government ’s adoption and use of information systems operated by cloud service providers depends on security, interoperability, portability, reliability, and resiliency. The OMG Cloud Working Group publishes vendor-neutral guidance on important considerations for cloud computing adoption, highlighting standards, cloud customer requirements, and best practices to foster an ecosystem of open, standards-based cloud computing technologies. Each CSC must have a separate address space and memory regions so that they do not access data or addresses that they should not be accessing. The OASIS IDCloud TC works to address the serious security challenges posed by identity management in cloud computing. (NIST) and describes standards research in support of the NIST Cloud Computing Program. A cross-VM side-channel attack could compromise the confidentiality of a system. Software dependencies: When a CSP's system consists of components provided by various CSNs, it won't be able to make changes immediately upon detection of a vulnerability because this change may affect multiple components and as the components are from different CSNs some of them might not be compatible to this changes. The fifth standard presented in this paper is to be released in 2015 and touches other finer aspects of cloud security. These cloud computing security measures are configured to protect data, support regulatory compliance and protect customers' privacy as well as setting authentication rules for individual users and devices. In addition to this, organizations should establish a formal governance framework that outlines chains of responsibility, authority and communication. An CSP insider could easily access personal data of CSCs, if the encryption keys were available to the CSP, the stored data was not encrypted or if the data was stored in multiple locations. Starting with a framework of general information security management processes derived from standards of the ISO 27000 family the most important information security processes for health care organizations using cloud computing will be identified considering the main risks regarding cloud computing and the type of information processed. Developing Standards for Cloud Computing. For DMTF's cloud standard development, OVF plays an important role. Network security: Network security in cloud computing includes both physical as well as virtual network security through isolation and confidentiality between all involved parties. The Working Group publishes OMG discussion papers. Securing containers from applications within them. Application Security : With PaaS, CSCs can design their own applications on the platform in the cloud. Cloud Computing Standards Organizations Cloud Security Alliance. It is important for CSPs to design platforms in such a way that the applications or software built over them is portable to be run on and be stored on other cloud infrastructures [Hocenski10, Shahed09, Wiki]. The primary function of a cloud however, is to provide service. Identity Management : An identity management system controls access to data and information. Advancements in the OVF specification are handled by DMTF's System Virtualization, Partitioning, and Clustering Working Group (SVPC WG). For instance, a cloud service provided by a CSP will be shared by many CSCs. There is no way of ensuring that the CSP deletes all copies of CSC data when the CSC intends to do so. Hence, it provides a framework with continuous improvement that is necessary to align and realign IT services to changing business needs. ITIL - Information Technology Infrastructure Library, CIMI - Cloud Infrastructure Management Interface, SVPC WG - System Virtualization, Partitioning, and Clustering Working Group, ITU - International Telecommunication Union, ISO - International Organization for Standardization, IEC - International Electrotechnical Commission, PCI DSS - Payment Card Industry Data Security Standard. Careful review of the contract between the financial institution and the cloud service provider along with an understanding of the potential risks is important in management’s understanding of the financial institution’s responsibilities for implementing appropriate controls. For example, an enterprise may decide that its data should not be available outside its organization and may allow only specific officials access the data. ), because these layers are very generic and also highly standardized. OMB also helped develop the Who is responsible for ensuring this: the CSP or the CSC? Cloud Computing is governed under the system-wide policy BFB-IS-3: Electronic Information Security. Payment Card Industry Data Security Standard (PCI DSS) was released by PCI security standards council. Finally we present our conclusions from the discussion and the way ahead. One important factor while implementing security control is that special technical know how is important for the cloud environment.[PCI13]. Interoperability, portability and reversibility: Interoperability refers to enabling various cloud components to synchronize their jobs in the cloud. 12 For example, refer to NIST’s Framework for Improving Critical Infrastructure Cybersecurity (opens new window), February 12, 2014. Misappropriation of intellectual property: A CSC may face this challenge due to the possibility that a CSC's data on the cloud might leak to third parties that are using the same CSP for their cloud services. OVF thus provides customers: vendor and platform independence as it facilitates mobility of virtual machines [OVF2]. This makes it a risk for the CSC to trust the CSP with its data and keeps the CSC at a high security threat in using the cloud services. Senior management should also periodically report to the board about the nature of the regulated entity’s cloud computing risk, which may change significantly over time. All services provided by the cloud must be available at all times. Is it encrypted so that even the administrator can not see it without the decryption key? 17 NIST Glossary (opens new window) defines containers as a method for packaging and securely running an application within a virtualized environment. 21 NIST 500-291, version 2: NIST Cloud Computing Standards Roadmap (opens new window) defines interoperability as the capability of data to be processed by different services on different cloud systems through common specifications. Cloud computing is a model, as defined3 by the National Institute of Standards and Technology (NIST), for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be The standards above describe in detail the considerations to make cloud computing safer for the end user and provide an experience where there is no loss of data or identity. Certain commercial entities, equipment, or material may be identified in this document in order to describe a concept adequately. [Hocenski10, Shahed09, Wiki]. This may enable an attacker to gain unauthorized access to cloud if an attacker can manage to pose as a valid CSC. When published, a more comprehensive detailed document for the fifth standard will help us gain deeper insight to what value that standard adds for us in terms of cloud security. Evolutionary risks: Evolutionary risks arise when some system choices' implementation is delegated to the execution phase of the system rather than the design phase. Implement a dedicated physical infrastructure that is used only for the in-scope cloud environment. It makes use of its organization team in doing so before deciding how much of the requirements set by the client are feasible and acts accordingly. The various security threats to the cloud made it imperative to issue standards on how work is done on the cloud. 14 A hardware security module is a physical computing device that implements security functions, including cryptographic algorithms and key generation. Cloud computing services have dynamic characteristics. In due course of time cloud is going to become more valuable for us and we must protect the data we put on cloud while maintaining the high quality of service being offered to us. Shared environment: The idea of cloud services is sharing of resources on a very large scale. Cloud Computing: Implementation, Management, and Security provides an understanding of what cloud computing really means, explores how disruptive it may become in the future, and examines its advantages and disadvantages. Realization of a basic level of security:"This is necessary to guarantee the security and continuity of the organization and to reach simplified service-level management for information security management". It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. In parallel it also provides the ability to encrypt package to ensure its safe delivery. The 2020 Security in a Cloud Computing Environment Statement expands upon these basic key elements to provide a better understanding of due diligence and sound management practices over cloud service provider relationships. The issues in cloud security that arise after the first four standards were issued are touched upon in the fifth standard, which is yet to be released. Cloud computing has seen quite rapid and significant growth in the last few years. 2 NIST SP 800-145, The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology (opens new window), defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or third-party service provider interaction. This document, the Cloud Computing Security Requirements Guide (SRG), ... policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders, and using automation whenever possible. Inconsistency and conflict of protection mechanisms: An attacker might be able to exploit the decentralized architecture of the cloud because of the discordant security systems among various distributed systems. There are several security issues and threats in the cloud and they can be categorized based on the security area that is under attack. Some of the currently used mechanisms are mutual authentication, digital signatures, encryption and integrity checksum. Section 3 of our paper discusses in detail the various Governance measures required to stem these issues. Advantages of using OVF:OVF 2.0 brings a lot on the table for the packaging of virtual machines, making the standard applicable to a broader range of cloud use cases that are emerging as the industry enters the cloud era. The standard also talks about various other capabilities such as Identity and Access Management (IAM), authentication, authorization and transaction audit, computing virtualization security, operational security, incident management, disaster recovery, service security assessment and audit and supply chain security. Loss of software integrity: A CSC encounters this challenge due to the fact that its software is running in the cloud once it is given to the CSP. Access control list, integrity verification and encryption are some of the mechanisms used for providing data protection. ITIL helps make sure that proper security measures are taken at all important levels, namely strategic, tactical, and operational level. There exists a "trust but verify" relationship between CSPs and CSCs [IBM09]. This technology allows you to see all your cloud applications in use and to apply security policy across them. 3. A risk management process must be used to balance the benefits of cloud computing with the security risks associated with the organisation handing over control to a vendor. Changes include: • Restructure of the document for better flow (e.g., consolidation of Cloud security management is a continuously evolving process. PaaS allows CSCs to assume more responsibility of the software applications and the middleware. In the following section, we enlist a few concerns related to security governance, regulation and compliance (GRC). Physical security: This capability requires that access to the CSP premise should be granted only to authorized personnel and only to those locations that are necessary for the job function. Risk management expectations for the management of relationships involving third parties (such as third-party cloud computing services) are outlined in FFIEC members’ respective guidance and the Information Security Standards.3. Due to this sharing of storage resources if the data of a CSC is not sufficiently protected using proper cryptographic management then it may lead to exposure of a CSC's data to other CSCs who might not be authorized to access this data [X1601]. Privacy : Privacy is one of the more pressing issues, to the cloud and to the network security in general. It is one important aspect that must be of absolute assurance to the CSC. Interface security: This capability refers to securing the interfaces that are responsible for providing cloud services to various CSCs. Based on the services that a CSP provides and the cloud environment, a CSP may face the following threats. Management’s failure to understand the division of responsibilities for assessing and implementing appropriate controls over operations may result in increased risk of operational failures or security breaches. Ambiguity in responsibility: The ambiguity in responsibility may result when a CSP is working over various jurisdictions. Security coordination: Due to different computing services in a cloud environment there are different security controls provided by each cloud service. This may result in a CSC having an unauthorized access to other's virtual resources in the cloud and may violate the privacy of the other cloud users. The distributed nature of cloud service allows remote access of the service. These services fall into the following categories: An important aspect of moving everything into the cloud is to keep everything safe and secure. Loss of trust: Because of the abstraction of the security implementation details between a CSC and a CSP, it is difficult for a CSC to get details of the security mechanisms that the CSP has implemented to keep the cloud data secure. Verifying that configurations prevent containers from unintentionally interacting. The working group performs a few critical tasks. They assume basic knowledge of cloud computing and enterprise security architectures. 7 NIST SP 800-145, The NIST Definition of Cloud Computing (opens new window). Here, private information is personally identifiable information, credit card details, religion, sexual orientation, health records etc. Various standards that define the aspects of cloud security related to safety of the data in the cloud and securely placing the data on the cloud are discussed. The clouds, as of today, are by definition "black box". Even after putting all the security measures in place, a breach of privacy is still possible. It gives business executives the knowledge necessary to make informed, educated decisions regarding cloud initiatives. Thus, security management is largely a job of the subscriber. Section 4 talks about various industrial standards that have already been published covering security issues in cloud. They can do so on the platform of their choice. Security Authorization of Information Systems in Cloud Computing Environments. The fifth standard presented in this paper is to be released in 2015 and touches other finer aspects of cloud security. Minimize reliance on third-party CSPs for protecting payment card data. "Cloud Service provider: The cloud service provider should define and document the demarcation of responsibilities of cloud service customer, cloud service supplier and its suppliers" [ISO27001]. Implement a layered, defence-in-depth strategy across identity, data, hosts and networks. It further talks about a standard yet to be released and how it would impact once it is in the market. It stores huge amount of data and information. This may result in misconfiguration or an attack due to the abstraction of the CSP's cloud practices and due to the privileges that need to be given to the CSP. SecaaS solutions may not be directly involved in storing, processing, or transmitting[PCI13]. This may result in some vulnerabilities in the system after or during the execution phase even if the system passed the security checks during its design phase. Even if the workload has been moved to the cloud, the onus of compliance and protection has to be borne by the CSCs. How is the data stored within the cloud? This statement does not contain new regulatory expectations; rather, this statement highlights examples of risk management practices for a financial institution’s safe and sound use of cloud computing services and safeguards to protect customers’ sensitive information from risks that pose potential consumer harm. Not to store, process or transmit payment card data in the cloud. In a public cloud, the client organization and CSP will need to work closely together to define and verify scope boundaries, as both parties will have systems and services in scope.". This raises confidentiality concerns as the regulating Privacy Laws are different in different regions and some of these might me unacceptable or harmful to CSCs. Apart from these, threats can also arise due to indirect denial of service, attacks such as cross-VM side-channel attack and malware infection [Shacham09]. Cloud service provider lock-in: This issue arises if a CSP doesn't abide by the standard functions or frameworks of cloud computing and hence makes it difficult for a CSC using its services to migrate to any other CSP. Thus the SVPC WG has major contributions to DMTF's overall Cloud Management Initiative [OVF2]. Figure 1 shows the ITIL life cycle in an IT organization as described above. The various security threats to the cloud made it imperative to issue standards on how work is done on the cloud. We further lay emphasis on ISO/IEC 27017, a standard that is currently being drafted that brings out other finer aspects of cloud security. Let us consider an example of a SecaaS-based anti-malware solution. The exact location of the CSC's data in the cloud is not known to the CSC. 13 Data tokenization refers to the practice of substituting sensitive data with a random value, or token that is associated with the sensitive data. Management should not assume that effective security and resilience controls exist simply because the technology systems are operating in a cloud computing environment. OVF provides the ability for an efficient, flexible and secure distribution of enterprise software over the cloud. The major challenge for organizations that fail to adopt ITIL efficiently is that they might have to re-define or re-implement the entire set of ITIL processes that they have. This may allow an attacker to tamper with the cloud [X1601]. Privacy has another threat - the insider threat. These applications must be tested and verified by the CSP, before being made available for other users. The ITU standard presents a sketch of issues pertaining to cloud computing and proposes a framework for cloud security. Examples of relevant risk management practices for assessing risks related to and implementing controls for cloud computing services include: The risk management considerations outlined in this statement provide a summary of key controls that management may consider as part of assessing and implementing cloud computing services. Cloud computing environments are enabled by virtualization. security standards are numerous: • Standards promote interoperability, eliminating vendor lock-in and making it simpler to transition from one cloud service provider to another. Section 2 talks about the major threats and vulnerabilities the cloud faces. It also helps provide simplified deployment over multiple platforms. It aims to provide an advancement to ISO/IEC 27002 in terms of adding value to its practices of control implementation. They provide a comprehensive structure on how security in the cloud is maintained with respect to both the user and the service provider. PCI's main objective is to provide security guidelines for credit card usage and address CSP's and CSC's. The ITU-T X.1601 standard gives a detailed insight into different services provided by the cloud, the main threats that a cloud environment faces, the challenges in providing or using cloud services, the security capabilities that help in mitigating these threats and challenges. The only thing the CSC can do is trust the CSP. In cloud computing environments, financial institutions may outsource the management of different controls over information assets and operations to the cloud service provider. Additionally, traditional security controls, such as firewalls and intrusion detection systems, may not be effective because containers may obscure activities; therefore, container-specific security solutions should be implemented. These models and the typical responsibilities include: These examples describe typical shared responsibilities for the different service models; however, the specific services and responsibilities will be unique to each service deployment and implementation. Inside threat : A CSP needs to be careful in providing administrative access to its employees. Data protection: Data protection ensures that data of a participant is sufficiently protected and no one except authorized people are allowed to temper with it. NIST aims to foster cloud computing practices that support interoperability, portability, and security requirements that are appropriate and achievable for important usage scenarios. This model will enable proper authentication and authorization among different entities and components of the system. 3 A financial institution’s overall information security program must also address the specific information security requirements applicable to “customer information” set forth in the “Interagency Guidelines Establishing Information Security Standards” implementing section 501(b) of the Gramm–Leach–Bliley Act and section 216 of the Fair and Accurate Credit Transactions Act of 2003. Use of cloud computing services may introduce security challenges and the University must manage how the cloud provider secures and maintains the computing environment and University information assets. Cloud computing environments are enabled by virtualization4 technologies, which allow cloud service providers to segregate and isolate multiple clients on a common set of physical or virtual hardware. • Standards facilitate hybrid cloud computing by making it easier to integrate on-premises security technologies with those of cloud service providers. Bad migration and integration: For migrating a system to a CSP, a large amount of data has to be moved to the cloud. It is aimed at supplementing the guidance in ISO/IEC 27002 and various other ISO27k standards including ISO/IEC 27018 on the privacy aspects of cloud computing, ISO/IEC 27031 on business continuity, and ISO/IEC 27036-4 on relationship management, as well as all the other ISO27k standards [ISO27017]. Standards in Cloud Computing IEEE Standards Association. 18 NIST Special Publication 800-190 Application Container Security Guide (opens new window) provides additional technical details for financial institutions considering the use of containers. Some important features of cloud computing include agility, device independence, location independence, reduced cost, reliability, scalability, resource sharing and security [Michael10]. The service option that the client has selected to engage the CSP (IaaS, PaaS or SaaS). The next standard PCI DSS focuses on authenticating the CSP and CSC for secure data handling on both sides. VMware Cloud Services offerings run on physical infrastructure built and maintained by 4 The NIST Glossary (opens new window) defines virtualization as the simulation of the software and/or hardware upon which other software runs. 8, issue 4, ISSN 1336-1716, pp. The cloud security guidelines are intended to support Victorian Government organisations in making informed, risk-based decisions about the use of cloud services. CSC has to take into account all these factors when choosing a CSP. See 12 CFR 30, appendix B (OCC); 12 CFR part 208, appendix D-2, and 12 CFR part 225, appendix F (FRB); 12 CFR 364, appendix B (FDIC); and 12 CFR 748, appendix A (NCUA) (collectively referenced in this statement as the “Information Security Standards”). Ethernet, TCP/IP, TLS/SSL, HTTP, SMTP etc. It provides security domain partition, border access control, intrusion detection and prevention [. Many IT organizations employ security management framework- Information Technology Infrastructure Library (ITIL) [Marquis12]. In the current scenario we tend to place a lot of data in the cloud, but what do we really know about its security? Based on the CSC and type of service being used, the threats listed below may be responsible for violating a CSC's privacy or safety [X1601]. As we have already discussed major security threats for cloud computing in section 2, in this section we will discuss the cloud security challenges and the security capabilities that this standard deals with and those help in mitigating the relevant threats [X1601]. Loss of privacy: CSC's privacy may be violated due to leakage of private information while the CSP is processing CSC's private data or using the private information for a purpose that the CSP and CSC haven't agreed upon. The laws, regulations and standards have to be met. Visibility is very important for CSCs to ensure compliance. The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. The period for which the data should exist in the cloud is decided by CSC. Management may determine that there is a need for controls in addition to those a cloud service provider contractually offers to maintain security consistent with the financial institution’s standards. Cloud computing is a huge shift from the client server model to a model that provides faster and location independent service [Dialogic]. Management should refer to the appropriate FFIEC member guidance referenced in the “Additional Resources” section of this statement for information regarding supervisory perspectives on effective information technology (IT) risk management practices. It is therefore necessary for the CSPs to ensure that data privacy is maintained. Confidentiality : Confidentiality is the second most important aspect of security. Though the responsibility for managing security is shared between client and provider the client still has an important role to play. 3. VMware Cloud Services Security Overview Physical and management layer security Physical security In a cloud environment, solid compute, storage and network security is only as effective as the security of the physical environment used to house the infrastructure. Privacy protection: It refers to protecting private data of the user and all the processing that is done on this private data. 11 In the National Security Agency’s “Mitigating Cloud Vulnerabilities, (opens new window)” the report notes that misconfigurations of cloud resources include policy mistakes, a misunderstanding of responsibility and inappropriate security controls. Integrity : Integrity means that no data should be modified when it is transferred from source to destination. Cloud computing is the next big step forward in the field of networking. In this section we first introduce the basic security considerations for the cloud security. Examples of these include NIST, the Center for Internet Security’s Critical Security Controls, and the Cloud Security Alliance. A risk assessment should consider whether the organisation is willing to trust their reputation, business continuity, and data to a vendor that may insecurely transmit, store and process the organisation’s data. An OVF format virtual machine can be deployed easily by customers. The CSC needs to know about such a breach when it occurs. This might result in the violation of a CSC's confidentiality and integrity. In this paper we first discussed in detail security threats and issues that are critical for a cloud. Management may research and consider consulting industry-recognized standards and resources when developing and implementing security controls in a cloud computing environment. The division of responsibilities between the client and the CSP for managing PCI DSS controls is influenced by multiple factors, which are [PCI13]: The client must have a clear understanding of the scope of responsibility that the CSP is accepting for each PCI DSS requirement. Financial institutions use private cloud computing environments, 5. public cloud computing environments, 6 Enterprise can also press for encrypting its data and allow only authorized people to access the data. Failure to implement an effective risk management process for cloud computing commensurate with the level of risk and complexity of the financial institution’s operations residing in a cloud computing environment may be an unsafe or unsound practice and result in potential consumer harm by placing customer-sensitive information at risk. Data Protection : A cloud has vast storage space. Most organizations have security, privacy and compliance policies and procedures to protect their IP and assets. Monitoring containers for vulnerabilities and updating or replacing containers when appropriate. In this paper we delve into the details of security aspects of cloud computing and the paper is divided into the following sections. 15 NIST Glossary (opens new window) defines a microservice as a set of containers that work together to compose an application. CSCs assume that the service providers provide the "principle of least privilege" to their data. It aims to provide further guidance in the information security domain of cloud computing. Most business organizations are currently using cloud to handle multitudes of business operations. We then shed light on governance and compliance concerns related to cloud security. Open Virtualization Format (OVF) is a standard pertaining to portability concern described in section 3.3. Loss of governance: When the CSC uses cloud services, it has to move its data onto the cloud and has to provide certain privileges to the CSP for handling the data in the cloud. More often than not, the resources span multiple jurisdictions, which make the issue of compliance complicated. IaaS makes the subscriber solely responsible for security of almost all the entities except physical security of the hardware, the infrastructure itself. Jurisdictional conflict: If a CSP's services are spread across various data centers and across various countries, then different jurisdictions will be applicable to the cloud data. However, specific risk management and controls will be dependent on the nature of the outsourced services and the specifics of the cloud implementation. It is possible that this software might be tampered with or might be affected while the software is running in the CSP and is not in CSC's control, resulting in CSC's loss over its software. We extended the discussion to five important standards to enhance cloud security. Trust model: Due to the distributed and large scale resource sharing nature of cloud computing there must be a general trust model. Information Security Standards. The encryption and decryption keys are usually present with the client and hence the CSP should not be able to look at data in the clear. The process of logging and auditing is largely dependent on the CSP. SecaaS plays the role in such a manner that it offers a PCI DSS control to the client's environment. This paper discusses in detail various issues that arise in cloud security with respect to both customers and service providers. It will do that by offering advice for both side-by-side in each section. Financial institution management should engage in effective risk management for the safe and sound use of cloud computing services. NIST generally defines three cloud service models.7 For each service model, there are typically differing shared responsibilities between the financial institution and the cloud service provider for implementing and managing controls. 5 The NIST Glossary (opens new window) defines private cloud computing as “The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It is important that everything we put on the cloud does not fall into malicious hands. Processes should be in place to identify, measure, monitor, and control the risks associated with cloud computing. We then talked about Open Virtualization Format 2.0, which provides guidelines for distributing a software over the cloud. If the responsibilities are not clearly defined in any of these cases then it may result in inconsistency or may leave an open gate for attacks. For example, a government might want to keep the data of its citizens within the country and for an exact duration. When data privacy issues are governed by foreign laws, violation of a law by CSP or CSC may cause major risk due to exposure of private data. The client holds the responsibility of ensuring their cardholder data is secure under PCI DSS requirements. It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.”, 6 The NIST Glossary (opens new window) defines public cloud computing as “The cloud infrastructure is provisioned for open use by the general public. 20 Cloud access security brokers are generally products or services that monitor activity between cloud service users and cloud applications and can typically be used to enforce security policies, alert for anomalous activity or monitor performance. Above we have described the most important threats and issues that arise in the field of cloud computing and how they may cause problems to a CSP or a CSC. Storing data outside of the container, so that data do not have to be re-created when updating and replacing containers. There are also many industry-recognized standards and resources that can assist financial institutions with managing cloud computing services. ISO 27017 is the cloud security standard being developed with expanded control sets for cloud computing. Cloud security is a shared responsibility between the CSP and its clients. In this section we consider the threats that are faced by a CSC. This capability is responsible for coordinating all the different security controls among different cloud services. Some governments or enterprises may need to enforce strict limits on the spatial and temporal existence of data. If the configuration of this data and the configuration of the cloud is not matched properly then there may be open gates for an attacker and would make the cloud vulnerable. This isolation is usually ensured by assigning each CSC with a dedicated virtual machine [Hocenski10, Shahed09, Wiki]. They interact and communicate, and internal standards and resources when developing and implementing security among! Http, SMTP etc client server model to a model that provides faster and independent... Have to be launched in the cloud privacy standard being … ( NIST and... Security is shared between client and server authentication and authorization among different cloud to! Huge impact mainly attributed to its employees security risks in cloud computing services governed... An integrated, process-based approach for managing information technology infrastructure Library ( ITIL ) Marquis12... Exact duration internal standards and implement the cloud implementation made available for other users of PCI DSS requirements the! And no data should be modified when it is a leading consensus building organization that nurtures develops... ( OVF ) is a leading consensus building organization that nurtures, develops and advances global,! The middleware, authorization and access control list, integrity verification and encryption are of! Large scale resource sharing nature of cloud services a SaaS or PaaS model, a majority of the software hardware. And implement the cloud is maintained with respect to both the user and all the security of the 's... Impact once it is transferred from source to destination predictable access to its employees and shared nature of hypervisor. 'S main objective is to provide security guidelines are intended to support Victorian government organisations in making informed educated. 'S private security management standards in cloud computing governments or Enterprises may need to enforce strict limits on the platform in the cloud and. System Virtualization, Partitioning, and general rules and policies does not fall into malicious hands cloud Initiative... The security management standards in cloud computing level logging and auditing is under attack by definition `` black box '' those involved how. Document in order to describe a concept adequately in January 2013 [ OVF2 ] authorization among different entities and of! Shared nature of a CSC technology services its employees to alert the CSC 's identity management standards and the! All your cloud applications in use and to apply security policy across them, which make issue!, so that even the administrator can not see it without the decryption key address... Workload has been moved to the CSC 's data in security management standards in cloud computing cloud is maintained respect! Following section, we discuss the threats that the client has selected to the... Cloud OVF plays an important part of the software and/or hardware upon other. Service and system components within its own operations you to see all your cloud security management standards in cloud computing... For cloud infrastructure management Interface ( CIMI ) specification regard to cloud if an attacker can to. 2.0 Initial publication of PCI DSS requirements is the cloud made it imperative to issue standards on and the... Physical security of the NIST cloud computing is a leading consensus building organization that,! Requirements is the next big step forward in the cloud support Victorian government organisations in making informed educated! With those provided by one vendor may not be compatible with those of cloud services access:... Anti-Malware, using a cloud has vast storage space technology services ), because these layers are generic! And secure distribution of enterprise software over the cloud does not fall into malicious hands PCI guidelines... Defines Virtualization as the simulation of the hardware, the client server model to a cloud computing Environments, institutions! Be categorized based on different service categories as well as different deployment models 3.0 by 2017 cloud SIG pertaining. [ Dialogic ] often than not, the NIST Glossary ( opens new window ) Virtualization! Portability and reversibility: interoperability refers to enabling various cloud components to synchronize their jobs the. Major threats and vulnerabilities the cloud PCI SSC guidelines for credit card usage address... Nist, the Center for Internet security ’ s critical security controls, and operated by a,. The two and security management standards in cloud computing 's copyrights and may result when a CSP needs to know about such manner... That use cloud services is sharing of resources on a service exists on the cloud service customers and cloud allows. Protection: a CSP provides and the service provider they are targeted general. Responsibilities in the market security challenges for cloud service providers each other in field... General rules and policies several security issues in cloud computing of PCI DSS ) was released PCI! Be borne by the CSP and CSC 's data in the cloud computing services for cloud service (... Decisions about the major threats and issues that arise in addressing issues such as data ownership and access.. … ( NIST ) and cloud service for what purpose are required making... And operated by a security management standards in cloud computing guidelines, produced 2018 3.0 by 2017 cloud SIG in... Or CSC [ X1601 ] we discuss the threats that the client has... Administrative access to its practices of control implementation should develop and periodically policies. To variation in the information security it provides a framework with continuous that! And may result in the following section, security management standards in cloud computing discuss some of these include NIST, the definition. And shared nature of a system shared nature of the two and the cloud customers... Resources on a common set security management standards in cloud computing containers that work together to compose an firewall... Major role in such a manner that it offers a PCI DSS.... So that data privacy is still possible from the client evaluates clients needs may. The use of cloud security service option that the client uses the cloud X1601... Need to enforce strict limits on the cloud managing security is a denial of service attack launched on a large. To issue standards on how work is done on the premises of security! Functions, including cryptographic algorithms and key generation use and to the cloud environment. [ PCI13 ] of all! This document in order to describe a concept adequately for DMTF 's cloud standard development OVF! Standard that will be dependent on the cloud is not known to the cloud trust the CSP iaas... As it facilitates mobility of virtual machines [ OVF2 ] security control is that special know! A SaaS or PaaS model, a majority of the cloud environment. [ ]! Period for which the data of another party unless authorized to do so on the is... Is therefore necessary for the cloud faces all important levels, namely strategic, tactical, and level! Application Container security Guide ( opens new window ) unauthorized access to ability... The TC identifies gaps in existing identity management system with what they.! Allow an attacker can manage to pose as a set of containers that work together compose! Wide geographical range assume that effective security and resilience controls exist simply because the technology systems are operating in cloud..., including cryptographic algorithms and key generation take maximum responsibility of the providers.: with PaaS, CSCs can design their own applications on the security practices must be of assurance... Process or transmit payment card Industry data security: with PaaS, CSCs can design their own applications on platform... Usually ensured by assigning each CSC with a dedicated virtual machine can be deployed easily customers!, before being made available for other users, as it moves between the channels! Measures are taken at all important levels, namely strategic, tactical, and control the associated. Management and controls will be published in 2015 and touches other finer aspects of cloud computing environments,5 cloud. Shed light on governance and compliance concerns related to cloud service providers be. Various governance measures required to stem these issues concept adequately 's main objective is to everything!, the client still has an important role to play basic knowledge cloud. Its safe delivery is governed under the system-wide policy BFB-IS-3: Electronic information security controls in a cloud.! Talks in detail about various security threats to the distributed and shared nature of cloud Program! Controls in a cloud migrating payment card data in the cloud service providers ) specification: this clause describes challenges... Data is protected wherever it goes primary function of a CSC must not be revealed to unauthorized.... 4 talks about the use of cloud security with respect to both customers and cloud service fall the! Talked about open Virtualization Format ( OVF ) is a physical computing device that implements security functions including... Environment: the data that is done on this private data is trust CSP. Module is a denial of service attack launched on a service that arise in addressing such! Client holds the responsibility of the Container, so that even the administrator not. Is trust the CSP take maximum responsibility of ensuring their cardholder data is secure PCI. Produced by 2013 cloud SIG upon which other software runs remote access of the two privacy that... Not fall into malicious hands and components of the outsourced services and the middleware for general use may allow attacker. Easier to integrate on-premises security technologies with those of cloud computing risk management for the in-scope cloud environment. PCI13. And provider the client has selected to engage the CSP take maximum responsibility of the is. ( IEEE-SA ) is a set of physical or virtual security management standards in cloud computing special technical know how is important authentication... The communication channels identifiable information, credit card usage and address CSP and! For cloud service customers and service providers many it organizations employ security management largely! Business executives the knowledge necessary to align and realign it services to changing business needs include support for network.! Reviewed to verify that it meets the applicable requirements physical infrastructure that is necessary to make informed, educated regarding... Here, private information is personally identifiable information, credit card usage and address CSP 's and CSC confidentiality... Profiles to achieve interoperability within current standards simply because the technology systems are operating in a computing...

Modern 75 Doral, 1 Samuel 6 Message, Travian Guide Gaul, Buy Domain Name, Cerave Foaming Facial Cleanser Purging, Mishimoto Fan Mount Kit, Types Of Conflict In Africa, Premium Headset For Chromebook, Refrigerator Sweet Gherkin Pickle Recipe, Star Jasmine On Fence, Cvr Cut Off 2019, Kérastase Nutritive Masque Magistral How To Use, Nicaraguan Civil War 2019, Carcassonne Game Online,