Cloud Governance : Trust and Accountability June 2009

Table of Contents Introductions Kinamik Background Trust and Accountability Requirements Audit and Integrity Kinamik Secure Audit Vault Amazon AWS Usecase Questions and Next Steps

Introductions Kinamik Background

Trust and Accountability Requirements

Audit and Integrity

Kinamik Secure Audit Vault

Amazon AWS Usecase

Questions and Next Steps

Introductions/ Background Our space is DATA GOVERNANCE Develop Secure Audit Vaults with strong data integrity Collect, monitor and archive sensible digital records and make them tamper-resistant Applications in regulatory compliance, e-discovery, forensics, digital evidence and information security Operational with its current focus since October 2006 VC Funded (Nauta Capital as lead VC)

Our space is DATA GOVERNANCE

Develop Secure Audit Vaults with strong data integrity

Collect, monitor and archive sensible digital records and make them tamper-resistant

Applications in regulatory compliance, e-discovery, forensics, digital evidence and information security

Operational with its current focus since October 2006

VC Funded (Nauta Capital as lead VC)

Federal Cloud "By 2012, 80 percent of Fortune 1000 companies will pay for some cloud computing service, and 30 percent of them will pay for cloud computing infrastructure” (Gartner 08) “ One of the most important transformations that the federal government is going to go through in the next decade is the shift to what’s called “cloud computing” ”(Obama Technology Innovation and Reform Team ) “ The GSA ...cloud computing ...USA.gov is hosted via Terremark's Enterprise Cloud infrastructure... saving between 80% and 90% with Terremark on a multiyear contract worth up to $135 million.” ( Information Week ) NIST is taking a lead role in cloud computing Definition of the cloud Many other upcoming publications e.g Securing Cloud Architectures etc. NIST 800-53 Rev 3 DRAFT Recommended Security Controls for Federal Information Systems and Organizations

"By 2012, 80 percent of Fortune 1000 companies will pay for some cloud computing service, and 30 percent of them will pay for cloud computing infrastructure” (Gartner 08)

“ One of the most important transformations that the federal government is going to go through in the next decade is the shift to what’s called “cloud computing” ”(Obama Technology Innovation and Reform Team )

“ The GSA ...cloud computing ...USA.gov is hosted via Terremark's Enterprise Cloud infrastructure... saving between 80% and 90% with Terremark on a multiyear contract worth up to $135 million.” ( Information Week )

NIST is taking a lead role in cloud computing

Definition of the cloud

Many other upcoming publications e.g Securing Cloud Architectures etc.

NIST 800-53 Rev 3 DRAFT Recommended Security Controls for Federal Information Systems and Organizations

Audit and Compliance Federal Cloud Issues Federal Cloud RFI Specific IaaS Concerns: Service Levels (measurements and reports) Compliance to Legislation Assurance of best practices (ITIL, CMMI, ISO etc) Infrastructure layer (systems patching, etc) Data location (Regions) Data Dispersal to unauthorized entities Data Ownership (e.g. Logging data) Auditing Interoperability Intellectual Property rights ownership Physical Security Trust, Transparency and Accountability Enterprise Cloud Infrastructures "Problem of security boundaries and security compliance (e.g. HIPAA, FISMA, SOX)” Peter Mell, NIST

Federal Cloud RFI Specific IaaS Concerns:

Service Levels (measurements and reports)

Compliance to Legislation

Assurance of best practices (ITIL, CMMI, ISO etc)

Infrastructure layer (systems patching, etc)

Data location (Regions)

Data Dispersal to unauthorized entities

Data Ownership (e.g. Logging data)

Auditing Interoperability

Intellectual Property rights ownership

Physical Security

FISMA/ FIPS 200 Minimum Security Requirements for Federal Information & Information Systems NIST 800-53 AU-9 PROTECTION OF AUDIT INFORMATION: Application to Risk Ratings: Low, Medium and High Impacts The information system protects audit information and audit tools from unauthorized access, modification and deletion Protected Audit Trails

NIST 800-53

AU-9 PROTECTION OF AUDIT INFORMATION:

Application to Risk Ratings: Low, Medium and High Impacts

The information system protects audit information and audit tools from unauthorized access, modification and deletion

Centralized Audit Vaults with tamper resistance Sample of regulations that requires audit-trails GRC US Sarbanes-Oxley (SoX), Gramm-Leach-Bliley Act (GLBA), US Health Insurance Portability and Accountability Act (HIPPA); Payment Card Industry – Data Security Standard (PCI-DSS); FAA DOT/FAA/AR-06/2; EU Data Retention Directive (DRD); FDA 21 CFR Part 11; Data Protection Act (DPA); eDiscovery….. Sample of tamper resistance requirements ISO27001/ISO17799 - 10.10.3 “Logging facilities and log information shall be protected against tampering and unauthorized access.” PCI DSS - 10.5.5 “ensure that existing log data cannot be changed without generating alerts .” NIST 800-93 “Ensuring that the original logs are not altered to support their use for evidentiary purposes

Sample of regulations that requires audit-trails GRC

US Sarbanes-Oxley (SoX), Gramm-Leach-Bliley Act (GLBA), US Health Insurance Portability and Accountability Act (HIPPA); Payment Card Industry – Data Security Standard (PCI-DSS); FAA DOT/FAA/AR-06/2; EU Data Retention Directive (DRD); FDA 21 CFR Part 11; Data Protection Act (DPA); eDiscovery…..

Sample of tamper resistance requirements

ISO27001/ISO17799 - 10.10.3 “Logging facilities and log information shall be protected against tampering and unauthorized access.”

PCI DSS - 10.5.5 “ensure that existing log data cannot be changed without generating alerts .”

NIST 800-93 “Ensuring that the original logs are not altered to support their use for evidentiary purposes

Immutable Audit Log Immutable Audit logs (IALs) are logs protected from tampering and erroneous insertion An IAL cannot be changed without it becoming evident by anyone regardless of privilege The primary values are: Trust - “IALs can increase trust by assuring that activities in the system will be recorded” (Markle, 2006) Transparency – The ability to perform oversight by appropriate stakeholders outside of the system Accountability – Proving policy violations Deterrence – Users will know in advance that logging and auditing are being used to identify policy violations Immutability increases evidential weight “ Immutable audit logs (IALs) will be a critical component for the information sharing environment” (Markle, 2006) “ where levels of trust have been historically low, for example, information sharing between federal law enforcement state/local…Federal Bureau of Investigations, and the Central Intelligence Agency… Department of Homeland Security and the Office of the Director of National Intelligence” (Markle, 2006) Access to IALs can be provided to Trusted Parties such as Data Owners, Regulators, the Government Accountability Office etc. Implementing a Trusted Information Sharing Environment: Using Immutable Audit Logs to Increase Security, Trust and Accountability, Markle Foundation, 2006 ( Markle , 2006)

Immutable Audit logs (IALs) are logs protected from tampering and erroneous insertion

An IAL cannot be changed without it becoming evident by anyone regardless of privilege

The primary values are:

Trust - “IALs can increase trust by assuring that activities in the system will be recorded” (Markle, 2006)

Transparency – The ability to perform oversight by appropriate stakeholders outside of the system

Accountability – Proving policy violations

Deterrence – Users will know in advance that logging and auditing are being used to identify policy violations

Immutability increases evidential weight

“ Immutable audit logs (IALs) will be a critical component for the information sharing environment” (Markle, 2006)

“ where levels of trust have been historically low, for example, information sharing between federal law enforcement state/local…Federal Bureau of Investigations, and the Central Intelligence Agency… Department of Homeland Security and the Office of the Director of National Intelligence” (Markle, 2006)

Access to IALs can be provided to Trusted Parties such as Data Owners, Regulators, the Government Accountability Office etc.

Kinamik Immutable Audit Log Kinamik provides an Immutable audit log (IAL) repository that collects, secures and centralizes audit information from different sources, while providing irrefutable proof of integrity Trust, Transparency and Accountability Irrefutable Integrity - The implementation of Chain Hashing is a computationally cheap method of achieving tamper evidence in an un-trusted environment [1] Granularity – in opposition to digital signatures each event is key chain hashed with only 570 Bytes/message overhead (excluding message size). Trusted time through the use of external trusted time stamping authorities Confidentiality and access to only privileged users through the use of PKI, Access Control and Encryption Non-repudiation through the use of Public Key Cryptography General Capabilities High performance 7500 events/ second on a single instance. Interoperability Data Collection Agents – Send events in real time to Kinamik´s Immutable Audit Log Data retention policy Searchability - Regular Expression Search Alerting SNMP and SMTP alerting functionality Reporting - Integration with reporting tool Secure Key Management - Optional use of a Hardware Security Module [1]Secure Audit Logs to Support Computer Forensics, Schneier/ Kelsey

Kinamik provides an Immutable audit log (IAL) repository that collects, secures and centralizes audit information from different sources, while providing irrefutable proof of integrity

Trust, Transparency and Accountability

Irrefutable Integrity - The implementation of Chain Hashing is a computationally cheap method of achieving tamper evidence in an un-trusted environment [1]

Granularity – in opposition to digital signatures each event is key chain hashed with only 570 Bytes/message overhead (excluding message size).

Trusted time through the use of external trusted time stamping authorities

Confidentiality and access to only privileged users through the use of PKI, Access Control and Encryption

Non-repudiation through the use of Public Key Cryptography

General Capabilities

High performance 7500 events/ second on a single instance.

Interoperability Data Collection Agents – Send events in real time to Kinamik´s Immutable Audit Log

Data retention policy

Searchability - Regular Expression Search

Alerting SNMP and SMTP alerting functionality

Reporting - Integration with reporting tool

Secure Key Management - Optional use of a Hardware Security Module

Immutable Audit Log Resident in an Amazon EC2 Cloud Instance AWS General Purpose Support Services Management/ Security Components Networking Components (Routers etc) DevPay Flexible Payments Service (Amazon FPS) Elastic MapReduce Simple Queue Service (Amazon SQS) CloudFront Simple Storage Service (Amazon S3) SimpleDB Elastic Compute Cloud (Amazon EC2) S3 Audit Bucket Kinamik Immutable Audit Log Databases (Oracle, MySQL etc) Operating Systems (Unix, MS etc) Middleware (JBOSS, etc) Custom Applications (.NET, Java etc) Privileged Auditor (Data Owner, Regulator, Government Authority etc) Traditional Services Stack Native Audit Data Trusted Chain Applications (CRM, ERP, Mail etc) Cloud Services Audit Data

Limited Audit Capabilities Within Amazon AWS Amazon’s AWS Auditing capabilities Availability Zone - CPU Load, Disk I/O Rates and Network I/O Rates (Only retain for 2 weeks on in S3) CloudFront’s - Logs: The Object Popularity, Traffic by IP, Total of traffic, Total number of requests, Total number of bytes transferred, and the number of request broken down by HTTP response code etc S3 - Creation, deletion and enumeration of objects within the bucket DevPay: Requester Pay Bucket Activities Traditional Infrastructure Auditing Capabilities Access Control Logs Transaction Logs Intrusion Logs Firewall Logs System Performance User Activity Alerts Trusted Chain

Amazon’s AWS Auditing capabilities

Availability Zone - CPU Load, Disk I/O Rates and Network I/O Rates (Only retain for 2 weeks on in S3)

CloudFront’s - Logs: The Object Popularity, Traffic by IP, Total of traffic, Total number of requests, Total number of bytes transferred, and the number of request broken down by HTTP response code etc

S3 - Creation, deletion and enumeration of objects within the bucket

DevPay: Requester Pay Bucket Activities

Traditional Infrastructure Auditing Capabilities

Access Control Logs

Transaction Logs

Intrusion Logs

Firewall Logs

System Performance

User Activity

Alerts

Audit Issues Within Amazon AWS Amazon disclaimers: "4.3: We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services.“ "7.2: We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.” Negative Impacts Does not support NIST 800-53 Control AU9 “Protection of Audit Information” Trustworthiness of operational data (SLA, Billing etc) Limited Guarantees on Data Quality (Data manipulation etc) "The server access logging feature is designed for best effort ... most log records will be delivered within a few hours of the time that they were recorded...server logging feature is offered on a best-effort basis... server logging is not guaranteed ... Usage Report Consistency - It follows from the best-effort nature of the server logging feature that the usage reports available at the AWS portal might include usage that does not correspond to any request in a delivered server log .“ ( Docs.Amazonwebservices.com )

Amazon disclaimers:

"4.3: We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services.“

"7.2: We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.”

Negative Impacts

Does not support NIST 800-53 Control AU9 “Protection of Audit Information”

Trustworthiness of operational data (SLA, Billing etc)

Limited Guarantees on Data Quality (Data manipulation etc)

"The server access logging feature is designed for best effort ... most log records will be delivered within a few hours of the time that they were recorded...server logging feature is offered on a best-effort basis... server logging is not guaranteed ...

Usage Report Consistency - It follows from the best-effort nature of the server logging feature that the usage reports available at the AWS portal might include usage that does not correspond to any request in a delivered server log .“ ( Docs.Amazonwebservices.com )

In Summary Kinamik´s IAL Collects, Centralize and Secures audit trail data from Cloud Services and traditional Network, OS, Application etc, and supports log diversity Provides tamper protection supporting many legislative, regulatory and standards requirements, including FISMA through NIST 800-53 control AU-9 Protection of audit information Provides privileged auditor access to data through the use of PKI and access controls Provides data mining and reporting features to support billing, service levels, security, compliance, forensics etc. Kinamik´s IAL can enable Trust, Accountability and Compliance by providing independent operational visibility to a cloud providers services The IAL data carries significant evidential weight

Collects, Centralize and Secures audit trail data from Cloud Services and traditional Network, OS, Application etc, and supports log diversity

Provides tamper protection supporting many legislative, regulatory and standards requirements, including FISMA through NIST 800-53 control AU-9 Protection of audit information

Provides privileged auditor access to data through the use of PKI and access controls

Provides data mining and reporting features to support billing, service levels, security, compliance, forensics etc.

Kinamik´s IAL can enable Trust, Accountability and Compliance by providing independent operational visibility to a cloud providers services

The IAL data carries significant evidential weight

Feedback "Immutable audit log as a pillar of audit integrity seems like a good choice included with an overall security baseline of practices" ( Senior IT Security Analyst at ICF International) "this type of capability is lacking and definitely needed by the Federal Agencies" (VP Information Assurance at Abacus Technology Corporation) "As an MNC in an industry with significant governance, audit, and compliance requirements I can not see how we can contemplate using the Cloud without such capabilities... keep up the good work" Global Director of IT Strategy and Planning at DuPont. "In reference to cloud/SaaS, if the immutable logs are marketed as a way of verifying both application activity as well as making sure the cloud vendor acts in an appropriate manner, there is some value in that“ (Adrian Lane, Secorsis) “ The value of this type of solutions for AWS is not debatable” (Director of ISVs Alliances, AWS)

"Immutable audit log as a pillar of audit integrity seems like a good choice included with an overall security baseline of practices" ( Senior IT Security Analyst at ICF International)

"this type of capability is lacking and definitely needed by the Federal Agencies" (VP Information Assurance at Abacus Technology Corporation)

"As an MNC in an industry with significant governance, audit, and compliance requirements I can not see how we can contemplate using the Cloud without such capabilities... keep up the good work" Global Director of IT Strategy and Planning at DuPont.

"In reference to cloud/SaaS, if the immutable logs are marketed as a way of verifying both application activity as well as making sure the cloud vendor acts in an appropriate manner, there is some value in that“ (Adrian Lane, Secorsis)

“ The value of this type of solutions for AWS is not debatable” (Director of ISVs Alliances, AWS)